Splunk post-进程时间图表在仪表板中显示 "no results found",但可以自行查询
Splunk post-process timecharts display "no results found" in dashboard, but query on its own is fine
我有一个简单的 xml splunk 仪表板,其中包含一个基本查询,以及两个 post 处理继承自该基本查询的查询。但是,当我加载仪表板时,它总是显示 "No results found." 当我单击 "Open in search" 按钮时,结果显示如预期。此外,当我退出基本搜索并将整个搜索放入两个面板时,图表会按预期显示。有人知道这里发生了什么吗?
这是无法使用的仪表板 xml:
<dashboard>
<label>Test Dashboard</label>
<description>This is a test</description>
<search id="base">
<query>
index=app sourcetype=tracelog splunk_server_group=prod
eventName=business:Logout
(NOT description="*invalid username or password*")
NOT code="6703" NOT code="6704" NOT "code=8006" NOT "code=6900" NOT "code=6000"
</query>
</search>
<row>
<panel>
<title>Test chart 1</title>
<chart>
<search base="base">
<query>
search success=false AND agent=true | timechart count by errors
</query>
</search>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart">column</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Test chart 2</title>
<chart>
<search base="base">
<query>
search success=false AND agent=false | timechart count by errors
</query>
</search>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart">column</option>
</chart>
</panel>
</row>
</dashboard>
但是,如果我合并查询并去掉基本查询,如下所示,它会起作用:
<dashboard>
<label>Test Dashboard</label>
<description>This is a test</description>
<row>
<panel>
<title>Test chart 1</title>
<chart>
<search>
<query>
index=app sourcetype=tracelog splunk_server_group=prod
eventName=business:Logout
(NOT description="*invalid username or password*")
NOT code="6703" NOT code="6704" NOT "code=8006" NOT "code=6900" NOT "code=6000"
| search success=false AND agent=true | timechart count by errors
</query>
</search>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart">column</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Test chart 2</title>
<chart>
<search>
<query>
index=app sourcetype=tracelog splunk_server_group=prod
eventName=business:Logout
(NOT description="*invalid username or password*")
NOT code="6703" NOT code="6704" NOT "code=8006" NOT "code=6900" NOT "code=6000"
| search success=false AND agent=false | timechart count by errors
</query>
</search>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart">column</option>
</chart>
</panel>
</row>
</dashboard>
有什么想法吗?我在这里遗漏了什么吗?
问题是,提到的基本搜索是非转换搜索,splunk 忘记了 post-processing 中的字段。
在上述情况下,碱基搜索必须更改为
<query>
index=app sourcetype=tracelog splunk_server_group=prod
eventName=business:Logout
(NOT description="*invalid username or password*")
NOT code="6703" NOT code="6704" NOT "code=8006" NOT "code=6900" NOT "code=6000"
| fields success agent errors
</query>
除了指定字段,您还可以使用 | table * 传播所有字段。
另请参阅:http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Best_practices - 主题:未返回任何结果
If the base search is a non-transforming search, you must explicitly state in the base search what fields will be used in the post-process search using the | fields command. For example, if your post-process search will search for the top selling buttercup game categories over time, you would use a search command similar to the following.
我有一个简单的 xml splunk 仪表板,其中包含一个基本查询,以及两个 post 处理继承自该基本查询的查询。但是,当我加载仪表板时,它总是显示 "No results found." 当我单击 "Open in search" 按钮时,结果显示如预期。此外,当我退出基本搜索并将整个搜索放入两个面板时,图表会按预期显示。有人知道这里发生了什么吗?
这是无法使用的仪表板 xml:
<dashboard>
<label>Test Dashboard</label>
<description>This is a test</description>
<search id="base">
<query>
index=app sourcetype=tracelog splunk_server_group=prod
eventName=business:Logout
(NOT description="*invalid username or password*")
NOT code="6703" NOT code="6704" NOT "code=8006" NOT "code=6900" NOT "code=6000"
</query>
</search>
<row>
<panel>
<title>Test chart 1</title>
<chart>
<search base="base">
<query>
search success=false AND agent=true | timechart count by errors
</query>
</search>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart">column</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Test chart 2</title>
<chart>
<search base="base">
<query>
search success=false AND agent=false | timechart count by errors
</query>
</search>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart">column</option>
</chart>
</panel>
</row>
</dashboard>
但是,如果我合并查询并去掉基本查询,如下所示,它会起作用:
<dashboard>
<label>Test Dashboard</label>
<description>This is a test</description>
<row>
<panel>
<title>Test chart 1</title>
<chart>
<search>
<query>
index=app sourcetype=tracelog splunk_server_group=prod
eventName=business:Logout
(NOT description="*invalid username or password*")
NOT code="6703" NOT code="6704" NOT "code=8006" NOT "code=6900" NOT "code=6000"
| search success=false AND agent=true | timechart count by errors
</query>
</search>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart">column</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Test chart 2</title>
<chart>
<search>
<query>
index=app sourcetype=tracelog splunk_server_group=prod
eventName=business:Logout
(NOT description="*invalid username or password*")
NOT code="6703" NOT code="6704" NOT "code=8006" NOT "code=6900" NOT "code=6000"
| search success=false AND agent=false | timechart count by errors
</query>
</search>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart">column</option>
</chart>
</panel>
</row>
</dashboard>
有什么想法吗?我在这里遗漏了什么吗?
问题是,提到的基本搜索是非转换搜索,splunk 忘记了 post-processing 中的字段。
在上述情况下,碱基搜索必须更改为
<query>
index=app sourcetype=tracelog splunk_server_group=prod
eventName=business:Logout
(NOT description="*invalid username or password*")
NOT code="6703" NOT code="6704" NOT "code=8006" NOT "code=6900" NOT "code=6000"
| fields success agent errors
</query>
除了指定字段,您还可以使用 | table * 传播所有字段。
另请参阅:http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Best_practices - 主题:未返回任何结果
If the base search is a non-transforming search, you must explicitly state in the base search what fields will be used in the post-process search using the
| fieldscommand. For example, if your post-process search will search for the top selling buttercup game categories over time, you would use a search command similar to the following.