我有一个 simple-xml splunk 仪表板,其中包含一个基本查询和两个从该基本继承的后处理查询。但是,当我加载仪表板时,它总是显示“未找到结果”。当我单击“在搜索中打开”按钮时,结果按预期显示。另外,当我退出基本搜索并将整个搜索放入两个面板时,图表将按预期显示。有人知道这是怎么回事吗?
这是不起作用的仪表板 xml:
<dashboard>
<label>Test Dashboard</label>
<description>This is a test</description>
<search id="base">
<query>
index=app sourcetype=tracelog splunk_server_group=prod
eventName=business:Logout
(NOT description="*invalid username or password*")
NOT code="6703" NOT code="6704" NOT "code=8006" NOT "code=6900" NOT "code=6000"
</query>
</search>
<row>
<panel>
<title>Test chart 1</title>
<chart>
<search base="base">
<query>
search success=false AND agent=true | timechart count by errors
</query>
</search>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart">column</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Test chart 2</title>
<chart>
<search base="base">
<query>
search success=false AND agent=false | timechart count by errors
</query>
</search>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart">column</option>
</chart>
</panel>
</row>
</dashboard>
但是,如果我组合查询并删除基本查询(如下所示),它就会起作用:
<dashboard>
<label>Test Dashboard</label>
<description>This is a test</description>
<row>
<panel>
<title>Test chart 1</title>
<chart>
<search>
<query>
index=app sourcetype=tracelog splunk_server_group=prod
eventName=business:Logout
(NOT description="*invalid username or password*")
NOT code="6703" NOT code="6704" NOT "code=8006" NOT "code=6900" NOT "code=6000"
| search success=false AND agent=true | timechart count by errors
</query>
</search>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart">column</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Test chart 2</title>
<chart>
<search>
<query>
index=app sourcetype=tracelog splunk_server_group=prod
eventName=business:Logout
(NOT description="*invalid username or password*")
NOT code="6703" NOT code="6704" NOT "code=8006" NOT "code=6900" NOT "code=6000"
| search success=false AND agent=false | timechart count by errors
</query>
</search>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart">column</option>
</chart>
</panel>
</row>
</dashboard>
有什么想法吗?我在这里遗漏了什么吗?
最佳答案
问题是,提到的基本搜索是非转换搜索,splunk 会忘记后处理中的字段。
在上述情况下,基本搜索必须更改为
<query>
index=app sourcetype=tracelog splunk_server_group=prod
eventName=business:Logout
(NOT description="*invalid username or password*")
NOT code="6703" NOT code="6704" NOT "code=8006" NOT "code=6900" NOT "code=6000"
| fields success agent errors
</query>
除了指定字段之外,您还可以使用 | table * 传播所有字段。
另请参阅:http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Best_practices - 主题:未返回结果
If the base search is a non-transforming search, you must explicitly state in the base search what fields will be used in the post-process search using the
| fieldscommand. For example, if your post-process search will search for the top selling buttercup game categories over time, you would use a search command similar to the following.
关于Splunk 后处理时间表在仪表板中显示 "no results found",但单独查询就可以了,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/44400037/