Dashboards & Visualizations

Loading base query by token

swazimodo
Path Finder

I'm trying to create a dashboard that does not execute the same queries multiple times. From what I have been able to find out online the way to do that is to set a token on your query so it can be loaded with the loadjob command. The problem I run into is that usually the loadjob command fails but if you try enough times it will eventually work. Even after it does work for you it will still fail randomly.

Error in 'SearchOperator:loadjob': The search artifact for job 'jdoe_jdoesearch_RMD578119c482df4f4b5_1575320222.1839344_1947AF77-263B-4511-A214-6F0DDCA0EDC5' is not available because we cannot proxy an ad-hoc job in a searchhead cluster. Please run the search locally.

Here is an example dashboard to show this problem. The top panels reference the base queries by ID and you can see when those complete. The chart at the bottom tries to load both base queries by token and combine them together. This fails in the dashboard but if you click the search button on this panel to get the real search query and run it enough times it will eventually work.

<form>
  <label>Example</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <search id="thing-one">
    <query>index=myapp "thingOne" | eval lineSource = "Thing One"</query>
    <earliest>$field1.earliest$</earliest>
    <latest>$field1.latest$</latest>
    <done>
      <condition>
        <set token="Thing_One">$job.sid$</set>
      </condition>
    </done>
  </search>
  <search id="thing-two">
    <query>index=myapp "thingTwo" | eval lineSource = "Thing Two"</query>
    <earliest>$field1.earliest$</earliest>
    <latest>$field1.latest$</latest>
    <done>
      <condition>
        <set token="Thing_Two">$job.sid$</set>
      </condition>
    </done>
  </search>
  <row>
    <panel>
      <single>
        <title>Total of thing one</title>
        <search base="thing-one">
          <query> | stats count</query>
        </search>
        <option name="drilldown">none</option>
      </single>
    </panel>
    <panel>
      <single>
        <title>Total of thing two</title>
        <search base="thing-two">
          <query> | stats count</query>
        </search>
        <option name="drilldown">none</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Things by time</title>
        <search>
          <query>| loadjob "$Thing_One$" | append [ | loadjob "$Thing_Two$"]
 | timechart span=1h count by lineSource</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.chart.showDataLabels">none</option>
      </chart>
    </panel>
  </row>
</form>
0 Karma

dindu
Contributor

Hi ,

I just modified the dashboard and it is working for me everytime.
To debug the job id - I am printing it in an html inside- You could remove it in the final code.
Please try and let me know whether this is working.

    <form>
       <label>Example</label>
       <fieldset submitButton="false">
         <input type="time" token="field1">
           <label></label>
           <default>
             <earliest>-24h@h</earliest>
             <latest>now</latest>
           </default>
         </input>
       </fieldset>
       <search id="thing_one">
         <query >|makeresults | eval first="thingOne" | eval lineSource = "Thing One"
         </query>
         <earliest>$field1.earliest$</earliest>
         <latest>$field1.latest$</latest>
         <done>
          <set token="Thing_One">$job.sid$</set>
         </done>
       </search>
       <search id="thing_two">
         <query>|makeresults | eval second="thingTwo" | eval lineSource = "Thing Two"</query>
         <earliest>$field1.earliest$</earliest>
         <latest>$field1.latest$</latest>
         <done>
          <set token="Thing_Two">$job.sid$</set>
         </done>
       </search>
       <row>
         <panel>
           <single>
             <title>Total of thing one</title>
             <search base="thing_one">
               <query> | stats count</query>
             </search>
             <option name="drilldown">none</option>
           </single>
         </panel>
         <panel>
           <single>
             <title>Total of thing two</title>
             <search base="thing_two">
               <query> | stats count</query>
             </search>
             <option name="drilldown">none</option>
           </single>
         </panel>
       </row>
       <row>
         <panel>
           <html>
             <li>Thing_One : $Thing_One$</li>
             <li>Thing_Two : $Thing_Two$</li>
           </html>
         </panel>
       </row>
       <row>
         <panel>
           <chart>
             <title>Things by time</title>
             <search>
               <query>| loadjob "$Thing_One$" | append [ | loadjob "$Thing_Two$"]
      | timechart span=1h count by lineSource</query>
               <earliest>$earliest$</earliest>
               <latest>$latest$</latest>
             </search>
             <option name="charting.chart">line</option>
             <option name="charting.chart.showDataLabels">none</option>
           </chart>
         </panel>
       </row>
     </form>

dindu
Contributor

Hi,

I am just using the makeresults command to get some sample results.So its going to be a hardcoded value.Below are the changes

1)The change here is - I made the "id" of the first query inside the "search" tag - it was inside "query "tag before.

       <search id="thing_one">
       <query >|makeresults | eval first="thingOne" | eval lineSource = "Thing One"
       </query>

2) Then inside the done tag - removed the condition tag.

         <done>
        <set token="Thing_Two">$job.sid$</set>
       </done>

Please check

swazimodo
Path Finder

The search ID was a typo in my question and I have updated it to remove confusion. Removing the condition tag did improve the reliability but I'm still getting the error some of the time. I'm wondering if there is a problem with long running queries.

0 Karma

swazimodo
Path Finder

'+1' for the debugging tip but I'm not seeing what changed here. Did you just change the original queries to some hard coded values? When I run this dashboard I still got the same error.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...