Dashboards & Visualizations

[RESOLVED] Search works manually but not in dashboard

ww9rivers
Contributor

[RESOLVED]: See notes below.


Below is a search I am using in a dashboard in a HiddenSearch module:

search index=techsecu_summary source="Top-Internet-connection-permitted" | top asa_srcip, asa_dstip, asa_dstport | eval Connection="(" . asa_srcip . ", " . asa_dstip . ", " . asa_dstport . ")" | fields Connection, count, percent

The dashboard shows "No results found."

When I hit "Inspect", I get a message like this:

This search has completed and found 11,549,745 matching events. However, the transforming commands in the highlighted portion of the following search:

the search string shown above with everything after the first | highlited.

over the time range:

[12/8/13 12:00:00.000 AM – 12/13/13 11:10:30.000 AM]

generated no results.

But if I copy the search string to the "search" app and run it over the same time period (Week to date), I do get results.

Looks like I am missing something really simple but I am not able to see. Your insights are much appreciated.

ww9rivers
Contributor

[Resolved] This little issue wasted a few hours of mine!

I'll call it my fault: The problem is that, in splitting the search command into multiple lines to make it a bit more readable, I put a tab in front of the pipe (|) characters. Once I manually replaced the tabs with spaces, the dashboard works as expected.

cramasta
Builder

Might be a issue with special characters or maybe something with the spaces in the eval. Try this...

<param name="search"><![CDATA[index=techsecu_summary source="Top-Internet-connection-permitted"
| top asa_srcip, asa_dstip, asa_dstport
| eval Connection=asa_srcip."/".asa_dstip.":".asa_dstport
| fields Connection, count, percent]]>
</param>

0 Karma

ww9rivers
Contributor

After figuring out the tabs, I did try the CDATA wrapping (with the tabs in front of the |'s), expecting the dashboard to work. But that still did not work for me.

0 Karma

ww9rivers
Contributor

Yes, I'm using advanced XML.

Sorry, the "search" command is copied from the "Search job inspector" page. It's not part of my XML, which actually reads:

  <param name="search">index=techsecu_summary source="Top-Internet-connection-permitted"
    | top asa_srcip, asa_dstip, asa_dstport
    | eval Connection=asa_srcip . "/" . asa_dstip . ":" . asa_dstport
    | fields Connection, count, percent
  </param>

I did change the "eval" line. But that was not the problem.

0 Karma

somesoni2
Revered Legend

Try removing "search" command from your search [start directly with index-....]

0 Karma

cramasta
Builder

are you using advanced xml?

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...