Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why can't I see results from (JavaScript) SearchManager with double quotes in search?

danillopavan
Communicator
‎10-19-2017 09:55 AM

Hello all,

I am using the object SearchManager for the below query, however it is not returning anything. Executing the same query directly in search, we can find the results. Probably it is something related to the double quotes in the replacement command within the query:

 var myquery=  'sourcetype=XXX | eval time_resumo=substr(time,6,2) | eval IP = replace(replace(IP, "\."," "),":"," ") |  
         lookup unidadedepara.csv IP OUTPUT PLANTA |   timechart span=1h avg(time_resumo) by PLANTA'

Is there any special way to configure (store) the above query in variable via JavaScript to be executed via SearchManager?

Thanks and regards,
Danillo Pavan

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎10-20-2017 08:03 AM

I don't think the double-quotes are the issue. I have used many query strings in javascript with double-quotes - formatted just like yours. Is it possible that the csv file is not accessible to the user/app that is running this? If PLANTA is not being returned from the lookup, then the final command would output nothing, I believe. Have you tried trimming the query down to sourcetype=XXX | eval time_resumo=substr(time,6,2) | eval IP = replace(replace(IP, "\."," "),":"," ") to see if you get results?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎10-20-2017 08:03 AM

I don't think the double-quotes are the issue. I have used many query strings in javascript with double-quotes - formatted just like yours. Is it possible that the csv file is not accessible to the user/app that is running this? If PLANTA is not being returned from the lookup, then the final command would output nothing, I believe. Have you tried trimming the query down to sourcetype=XXX | eval time_resumo=substr(time,6,2) | eval IP = replace(replace(IP, "\."," "),":"," ") to see if you get results?

0 Karma
Reply
Solved! Jump to solution

danillopavan
Communicator
‎10-20-2017 11:22 AM

Hello elliotproebstel , many thanks for your Support.

Yes, you are correct. I executed the initial of the query without the lookup command, and got the return. Now we found that the lookup command is not working, but why? If I execute the same query via SEARCH and it is working. The lookup table file componente is configure as Global and for all apss (read and write). Don´t know the reason for this query is not working in JavaScript.

Many thanks again!

0 Karma
Reply
Solved! Jump to solution

danillopavan
Communicator
‎10-23-2017 12:06 PM

Hello all,

It is working now. My search query was wrong. I needed to remove one of the replace commands. The problem was not with lookup information.

Thanks and regards

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎10-23-2017 12:12 PM

Glad you got it fixed!

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...