Metadata as a drill-down search

sf_user_199 · ‎08-16-2013

I have a drilldown search on a dashboard that I am calling like this:

<module name="HiddenSearch">
    <param name="search">| metadata type=hosts index=* | <more search here></param>

This search works when run manually, but no results are returned when used on the dashboard. If you open search inspector:

This search has completed, but did not match any events. The terms specified in the highlighted portion of the search:

None | metadata type=hosts index=* | <more search here>

I've used | Metadata on dashboards before, and this hasn't caused an issue previously. Sometimes I've used a macro os saved search to get it to work, but neither approach is working in this use case.

Any suggestions?

Drainy · ‎09-29-2013

One other option, I think it was pre-v5 Metadata would run over alltime, post v5 (possible 4.3) it now requires a time range to search over, after upgrade I actually had a few dashboards fail completely as they previously worked on the assumption of an all time search, but then I had to start specifying a time range (at least if my memory serves me right thats the way round it was)

alacercogitatus · ‎09-29-2013

Not sure why it's not working without experiment, but you could do something "odd".

|metadata type=hosts index=* | outputlookup tmp_meta.csv | inputlookup append=t tmp_meta.csv | more_search_here

The idea behind this is that "metadata" doesn't return "actual events", and as such, can't do more searching on them. So I believe you can write to a lookup with metadata, and then input those values, turning them into "actual events" that can then have extra search stuff applied. I think. Give it a whirl and see if it helps.

nmistry_splunk · ‎09-27-2013

It works fine for me. Could you share your dashboard xml?

Metadata as a drill-down search

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!