Re: Can anybody try downloading the splunk app fro...

Suryadeep · ‎09-27-2015

I recently downloaded a sunburst app from https://splunkbase.splunk.com/app/1855/ to integrate it as a sunburst dashboard with my existing splunk app.

The problem : The custom search query is not getting rendered.

The query :
index=csfindex_apilogger
|table message.userName,message.employerName,message.pageName,_time
|spath

|rename message.userName as userName, message.pageName as pageName,message.employerName as employerName
|where len(employerName)> 0 AND len(userName)>0
|dedup pageName,userName
|stats list(pageName) as series,count(employerName) as count by employerName
|eval steps= mvjoin(series,"-")|fields steps,count

I walked through the steps exactly as mentioned below in the apps manual,
and my search query does return the mentioned data format

Create a clone of this dashboard
Move the dashboard to your app.
Copy the autodiscover.js file, sequences_sunburst directory,d3 directory from $SPLUNK_HOME/etc/apps/sequences sunburst/appserver/static to your app's appserver/static directory
Change the search string between <searchTemplate> tag in the source xml.Your search have to return 2 fields: steps and count In the steps field separate steps name with a "-" (hyphen)Like this:step1-step2-step3-step4.
Replace the explanation text in the visualization settings
Delete this html panel from the source xml

Note * The Default query in the simple xml was <searchTemplate>|inputlookup visit-sequences.csv</searchTemplate>
Even with the default configuration and the xml intact the search does not seem to work not only in the clone but also the app's default example too

The notification/error that displays in the panel is
Sample - webpage visits - No search set.

I validated the inputlookup visit-sequences.csv by
1. Putting it in a lookup folder inside the app's directory structure followed by a splunk search
2. Restarted splunk
3. Building an index over the visit-sequences.csv file and queried it using the index
4. Repeated the above in a fresh app and the queries did work with the desired result sets

I wonder what I am missing in the process?

Looking forward to an immediate assistance.

klapper · ‎09-27-2015

replace this line in the example view (make_your_own)

<searchTemplate>|inputlookup visit-sequences.csv</searchTemplate>

with this:

<search id="search1">
  <query>|inputlookup visit-sequences.csv</query>
</search>

There are changes in recent Splunk version so you have to specifiy the id in the search definition.

In your xml that will be look like this:

   <search id="search1">
      <query>index=csfindex_apilogger
|table message.userName,message.employerName,message.pageName,_time
|spath
|rename message.userName as userName, message.pageName as pageName,message.employerName as employerName
|where len(employerName)> 0 AND len(userName)>0
|dedup pageName,userName
|stats list(pageName) as series,count(employerName) as count by employerName
|eval steps= mvjoin(series,"-")|fields steps,count</query>
      <earliest>-7d@d</earliest>
      <latest>now</latest>
   </search>

I will update the app to be compatible with recent versions of Splunk.

Suryadeep · ‎09-28-2015

@klapper , very thankful indeed.
I am yet to try this as I'm waiting for license renewal.

Shall look forward to try the updated app as well.

Suryadeep · ‎10-05-2015

Did not work out.

Can anybody try downloading the splunk app from https://splunkbase.splunk.com/app/1855/ , use a custom search query, make it work and share the steps undertaken?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?