Splunk - No results, but search is correct

1
votes

EDIT:

Inspecting the search and confronting the logs of the failed search vs the successful search, it seems that the failed search job does not parse the search string. I have a log that says:

Generating search operator is null, short-circuiting data generation

On the contrary, on the successful search I have the log of the search parsing process. I want to repeat here that the searches have the SAME code.

Question:

A dashboard suddenly doesn't return nothing. I opened the search tool and it does not return nothing again. But, if I push the button to run the search again, it does return the expected data.

This happens only on my remote virtual Windows host. On my Linux private computer, same splunk version same indexes, all works.

I tried to reinstall splunk and also to clear var\run\splunk\dispatch folder, without success.

It seems the problem is with a subsearch that I do on many dashboards. It's a search with many joins. If I remove one of them, it works. But of course I need it all.

Indexes are OK, since I use them all also for populating inputs in the same page.

The subsearch is this one:

  [search index=A ID_A="$id_a$" ID_B="$id_b$" | 
  dedup ID_A | 
  join ID_B 
    [search index=B AND ID_C="$id_c$" | 
    dedup ID_B | 
    join ID_C 
      [search index=C AND ID_D="$id_d$" | 
      dedup ID_C | 
      table ID_C] | 
    table ID_B] | 
  table ID_A]

As you can see, it's data from a database, not log data. If I remove the join on ID_C, it works.

Any ideas?

3
splunk
Lucas, more data is needed, what is your "search with many joins" ? Are you using best practices like PostProcessing to avoid hitting the max number of events ceiling ?Joao Figueiredo
Added the search to the answer. I'm not using PostProcessing for now, but the search have no problem in other dashboards running it directly using the search tool.Marco Sulla

3 Answers

0
votes

Seems one of your subsearches is quietly performing harikiri after the number of seconds defined in limits.conf.
It's tempting to use JOIN for anyone coming from the SQL world but in splunk that function seldom is the answer as it's way, way slower. I'd suggest you'd use this as a starting point

(index=A "$id_a$" OR $id_b$ ID_A="$id_a$" ID_B="$id_b$") OR (index=B $id_c$ ID_C="$id_c$") OR (index=C "$id_d$" ID_D="$id_d$")
| dedup ID_A by ID_C, ID_B

The dedup clause will need some work as I can't do much more than imagining your underlining data

Reading this will greatly help you in the future, http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SQLtoSplunk

0
votes

Firstly, I agree with Joao - there is not enough information here to truly answer the question.

However, I've seen this many times in my own app development. Inevitably it has been caused by permissions. The first one is the context of the app (and this is the most common). If you have a props.conf and/or transforms.conf that define some field extractions in your Search app, but those field extractions have not been exported to the app you are working in, then they won't be available. In your case, maybe ID_* are not defined for some reason. You can check this by adding a Search dashboard reference to your app and running the search there.

A second reason is because the dashboard may be using Fast Mode instead of Smart Mode or Verbose Mode. If you are in the Search page; on the right hand side is a drop-down that indicates the mode. When you first open in search - what does it say? After you click on Search, what does it say?

Finally, Search Inspector is your friend. When you don't see results on a panel - open up the panel and view the log and breakdown. Understanding the search inspector is likely to be your best friend here.

The reason you need to re-run is that when you open the search in the search page (probably using the "Open in search" link at the bottom of your panel), it uses the cached information in the dispatch directory. When you click on search, it generates a new search.

0
votes

Free version of splunk has a max search limit. Also check with your organization to see if you have the correct rights.