All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

All Events are not displayed when the child search is being executed

dasari
Engager
‎12-03-2012 02:08 PM

Hi ,

I have a parent search which retrieves list of values in a tabular format. On clicking any of the values the events corresponding to this value(child search) is retreived in another table.

However not all the events are being retrieved. There is only a certain sub set of events which are being displayed. When the same child query is executed on the flash timeline the results are completely different.

I am using a events viewer module to display the results of the child search.Below is the code.

<view isVisible="true" onunloadCancelJobs="true"  template="dashboard.html">
  <label>List Events</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="SideviewUtils" layoutPanel="appHeader" />
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="maxSize">1</param>
    <param name="clearOnJobDispatch">False</param>
  </module>
  <module name="TitleBar" layoutPanel="viewHeader">
    <param name="actionsMenuFilter">dashboard</param>
  </module>
  <module name="HTML" layoutPanel="panel_row1_col1">
    <param name="html">
      <![CDATA[ Select/Search  For Filtering Logs   ]]>
    </param>
  </module>
  <module name="HTML" layoutPanel="panel_row1_col1">
    <param name="html"><![CDATA[
      <table id='tbalign' width='100%' border ='0'><tr><td align='top' style='width:45%'>   
    ]]></param>
  </module>

  <module name="TextField" layoutPanel="panel_row1_col1" autoRun="False">
    <param name="name">search_filter</param>
    <param name="width">200px</param>
    <!--<param name="label">Search</param> -->
    <param name="template">$value$</param>

    <module name="HTML" layoutPanel="panel_row1_col1">
      <param name="html">
       <![CDATA[</td><td align='top' style='width:40%'> ]]>
      </param>
    </module>

    <module name="TimeRangePicker" layoutPanel="panel_row1_col1">
      <param name="selected">All time</param>
      <module name="HTML" layoutPanel="panel_row1_col1">
        <param name="html">
           <![CDATA[</td><td align='top' style='width:15%'> ]]>
        </param>
      </module>

      <module name="Button" >
        <param name="allowSoftSubmit">True</param>

        <module name="HTML" layoutPanel="panel_row1_col1">
          <param name="html">
             <![CDATA[</td></tr></table>    ]]>
          </param>
        </module>

        <module name="Search" autoRun="True">
          <param name="search">
            index="xyz" sourcetype="log:detailed" name=*$search_filter$* | dedup name | sort name|rename name AS Test | fields Test 
          </param>
          <module name="HTML" layoutPanel="panel_row1_col1">
            <param name="html">
              <![CDATA[ Queue List]]>
            </param>
          </module>
          <module name="SimpleResultsHeader" layoutPanel="panel_row1_col1">
            <param name="entityName">events</param>
            <param name="headerFormat">No of results (%(count)s)</param>

            <module name="Pager">
              <param name="entityName">events</param>
              <param name="maxPages">10</param>

              <module name="SimpleResultsTable" layoutPanel="panel_row1_col1">
                <param name="entityName">events</param>
                <param name="drilldown">row</param>
                <param name="fields">Test</param>

                <module name="Search" autoRun="True">
                  <param name="search">index=xyz name="$click.fields.Test$" </param>

                  <module name="JobProgressIndicator" layoutPanel="panel_row2_col1"></module>

                  <module name="HTML" layoutPanel="panel_row2_col1">
                    <param name="html">
                     <![CDATA[Events for selected Value: <b>$click.fields.Test$ </b>]]>
                    </param>
                  </module>
                  <module name="SimpleResultsHeader" layoutPanel="panel_row2_col1">
                    <param name="entityName">events</param>
                    <param name="headerFormat">No of results (%(count)s)</param>
                  </module>
                  <module name="Pager" layoutPanel="panel_row2_col1">
                    <param name="entityName">events</param>
                    <module name="EventsViewer" layoutPanel="panel_row2_col1">
                      <param name="displayRowNumbers">True</param> 
                      <param name="enableEventActions">False</param> 
                    </module>
                  </module>
                </module>
              </module>  
            </module>
          </module>
        </module>  
      </module>  
    </module>  
  </module>
</view>
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎01-03-2013 10:33 PM

I'm not sure why you're only getting a subset of the correct events.

My first suggestion is that you throw the following into the HTML module immediately downstream from your table click: 

search is : <b>$search$</b>
timerange is : <b>$search.timeRange.earliest$</b>,   <b>$search.timeRange.latest$</b>

Quite possibly there will be something about that search that is different from the control search that you're running in flashtimeline.

That aside, there is one problem with this XML that is possibly contributing to the problem. That is that you have an autoRun="true" nested inside another autoRun="True". This can cause some pretty unpredictable behavior and should never be done. Remove the deeper one and in fact you should remove both of them and have only one living all the way up on the TimeRangePicker module up top. Also delete the autoRun="False" because this is always meaningless.

Here's some other advice to help clean things up:

1) You dont need to respecify the layoutPanel attributes at each level. If a module has no layoutPanel attribute, it will inherit the value from the upstream modules.

2) you are nesting modules downstream from a SimpleResultsHeader but there's no reason for this. You can denest all those and make your view a bit less indented.

3) if you're using HTML modules already you can dispense with these SimpleResultsHeaders and just add 

<h3> No of results $results.count$</h3>

to your existing HTML modules where appropriate. and delete the SimpleResultsHeader modules.

4) You're doing something a bit sketchy by having these fragments of table code carving up the page. I'd be surprised if that was working out correctly in all browsers. Fortunately you can just use panel_row1_col1, panel_row1_col2 and panel_row1_col3 to create three rounded corner panels all in a single row, and if you want to group modules WITHIN a single rounded-corner panel, you can use

panel_row1_col1 - will be a full width subsection across the top of the rounded-corner panel.
panel_row1_col1_grp1 - will be the lower left half of the rounded-corner panel
oanel_row1_col1_grp2 - will be the lower right half of the rounded corner panel.

Likewise if you want to evenly divide the panel into thirds, just add a panel_row1_col1_grp3. All in all I think this will be much easier to keep track of than these fragments of <table> and <tr><td> html .

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...