Refine your search:

JSChart Search PostProcess: Search did not generate any statistical results.

0

Hello,

I'm trying to move new apps on Splunk 4.3 to JSChart however I have problems with the following error when using PostProcess search: Search did not generate any statistical results.

If I click few times on link switcher the search will appear.

Anyone found any solution?

<module name="AppBar" layoutpanel="navigationHeader"/> <module name="DashboardTitleBar" layoutpanel="viewHeader"/> <module name="Message" layoutpanel="navigationHeader"> <param name="filter">splunk.search.job</param> <param name="clearOnJobDispatch">True</param> <param name="maxSize">1</param> <param name="level">warn</param> </module>

<module name="StaticContentSample" layoutPanel="viewHeader">
    <param name="text">&lt;/p&gt;&lt;ul&gt;&lt;li&gt;&lt;strong&gt;&lt;a href="https://ocx/en-US/app/noss/fw_conn_formsearch"&gt;Firewall Connections Detail Form Search</param>
</module>

<module name="Search" layoutPanel="panel_row1_col1_grp2" autoRun="True">
    <param name="search">eventtype="firewall_conn_count" | dedup error_code | rangemap field=active_conn low=0-1000 elevated=1001-2000 default=severe</param>
    <param name="earliest">-1h</param>
    <module name="SingleValue">
        <param name="field">active_conn</param>
        <param name="classField">range</param>
        <param name="beforeLabel">Active Connections:</param>
    </module>
</module>
<module name="Search" layoutPanel="panel_row1_col1_grp3" autoRun="True">
    <param name="search">eventtype="firewall_conn_count" | dedup error_code | rangemap field=max_conn low=0-5000 elevated=5001-9000 default=severe</param>
    <param name="earliest">-1h</param>
    <module name="SingleValue">
        <param name="field">max_conn</param>
        <param name="classField">range</param>
        <param name="beforeLabel">Max Connections:</param>
    </module>
</module>

<module name="TimeRangePicker" layoutPanel="panel_row1_col1_grp1"><!-- Start TimeRangePicker -->
    <param name="searchWhenChanged">True</param>
    <param name="default">Today</param>

    <module name="Search" layoutPanel="panel_row2_col1" autoRun="True"><!-- Start Connection Timeline  Search -->
        <param name="search">index="firewall_summary" stype="firewall_conn" | timechart span=1m sum(Built) as Built sum(Teardown) as Teardown</param>
        <module name="JobProgressIndicator"/>
        <module name="HiddenChartFormatter">
            <param name="charting.legend.placement">bottom</param>
            <param name="charting.primaryAxisTitle.text">Event Count</param>
            <param name="charting.secondaryAxisTitle.text">Time</param>
            <param name="charting.chart">line</param>
            <param name="charting.fieldColors">{"Teardown":0xE51B1A,"Built":0x6C943B}</param>
            <module name="JSChart">
                <module name="Gimp"/>
                <param name="width">100%</param>
                <param name="height">250px</param>
            </module>
        </module>
    </module><!-- End Connection Timeline  Search -->

    <module name="Search" layoutPanel="panel_row3_col1" autoRun="True"><!-- Start Connection Charts  Search -->
        <param name="search">eventtype="firewall_build_conn" conn_src_int="*" conn_src_host_local="*" conn_src_port_local="*" conn_src_host_global="*" conn_src_port_global="*" conn_dest_int="*" conn_dest_host_local="*" conn_dest_port_local="*" conn_dest_host_global="*" conn_dest_port_global="*" conn_id="*" conn_protocol="*" conn_type="*"</param>
        <module name="LinkSwitcher" group="IP Address Details" layoutPanel="panel_row3_col1"><!-- Start IP Address Details Link Switcher -->
            <param name="mode">independent</param>
            <param name="label">Use the links bellow to switch between charts</param>
            <module name="PostProcess" group="by Local Source IP" autoRun="True">
                <param name="search">| stats count by conn_src_host_local | head 20</param>
                <module name="HiddenChartFormatter">
                    <param name="charting.legend.placement">none</param>
                    <param name="charting.chart">pie</param>
                    <module name="JSChart">
                <module name="Gimp"/>

                        <param name="width">100%</param>
                        <param name="height">250px</param>
                    </module>
                </module>
            </module>
            <module name="PostProcess" group="by Local Destination IP" autoRun="False">
                <param name="search">| stats count by conn_dest_host_local | head 20</param>
                <module name="HiddenChartFormatter">
                    <param name="charting.legend.placement">none</param>
                    <param name="charting.chart">pie</param>
                    <module name="JSChart">
                <module name="Gimp"/>

                        <param name="width">100%</param>
                        <param name="height">250px</param>
                    </module>
                </module>
            </module>
            <module name="PostProcess" group="by Global Source IP" autoRun="False">
                <param name="search">| stats count by conn_src_host_global | head 20</param>
                <module name="HiddenChartFormatter">
                    <param name="charting.legend.placement">none</param>
                    <param name="charting.chart">pie</param>
                    <module name="JSChart">
                <module name="Gimp"/>

                        <param name="width">100%</param>
                        <param name="height">250px</param>
                    </module>
                </module>
            </module>
            <module name="PostProcess" group="by Global Destination IP" autoRun="False">
                <param name="search">| stats count by conn_dest_host_global | head 20</param>
                <module name="HiddenChartFormatter">
                    <param name="charting.legend.placement">none</param>
                    <param name="charting.chart">pie</param>
                    <module name="JSChart">
                <module name="Gimp"/>

                        <param name="width">100%</param>
                        <param name="height">250px</param>
                    </module>
                </module>
            </module>
        </module><!-- End IP Address Details Link Switcher -->

asked 19 Jan, 07:39

bojank's gravatar image

bojank
211
accept rate: 0%

edited 19 Jan, 08:30

araitz's gravatar image

araitz ♦♦
7.1k2516
One Answer:
oldestnewestmost voted
2

It looks like this might be due to a bug in the JSChart module when a post-process is being performed on a non-reporting search. Take a look at this post for a couple of work-around options.

link

answered 24 Jan, 20:34

Simon%20Fishel's gravatar image

Simon Fishel
2431
accept rate: 27%

This configuration should now work with the JSChart module in 4.3.1

(06 Mar, 19:25) Simon Fishel
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×4
×4
×3

Asked: 19 Jan, 07:39

Seen: 336 times

Last updated: 06 Mar, 19:25

Related questions

JSChart using Sideview in 4.3.1?

HiddenSearch not returning results for PostProcess and display Modules

where could I find a list of params that are supported in the new JSChart?

having problems with the PostProcess module

Version 4.3 - using flash charting instead of JSChart

HiddenPostProcess Search Time Range changed.

How to re-use search query using HiddenPostProcess

Generate Statistical Sampling

search-time extracted field showing no results when used in search

Copyright © 2005-2012 Splunk, Inc. All rights reserved.