Dashboards & Visualizations

Metadata as a drill-down search

sf_user_199
Path Finder

I have a drilldown search on a dashboard that I am calling like this:

<module name="HiddenSearch">
    <param name="search">| metadata type=hosts index=* | <more search here></param>

This search works when run manually, but no results are returned when used on the dashboard. If you open search inspector:

This search has completed, but did not match any events. The terms specified in the highlighted portion of the search:

None | metadata type=hosts index=* | <more search here>

I've used | Metadata on dashboards before, and this hasn't caused an issue previously. Sometimes I've used a macro os saved search to get it to work, but neither approach is working in this use case.

Any suggestions?

0 Karma

Drainy
Champion

One other option, I think it was pre-v5 Metadata would run over alltime, post v5 (possible 4.3) it now requires a time range to search over, after upgrade I actually had a few dashboards fail completely as they previously worked on the assumption of an all time search, but then I had to start specifying a time range (at least if my memory serves me right thats the way round it was)

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Not sure why it's not working without experiment, but you could do something "odd".

|metadata type=hosts index=* | outputlookup tmp_meta.csv | inputlookup append=t tmp_meta.csv | more_search_here

The idea behind this is that "metadata" doesn't return "actual events", and as such, can't do more searching on them. So I believe you can write to a lookup with metadata, and then input those values, turning them into "actual events" that can then have extra search stuff applied. I think. Give it a whirl and see if it helps.

nmistry_splunk
Splunk Employee
Splunk Employee

It works fine for me. Could you share your dashboard xml?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...