Monitoring Splunk

issue in loading child modules

smolcj
Builder

hi,
i have a drop down box and there are some modules which takes the dropdown box output as inpu and works.(single value,table.chart etc are those modules)
they are taking few seconds to display the result, but my issue is sometimes they are showing (especially tables) "no results found". but if i am clicking the search button again it will show the result, why they are not populating all the time. is the issue is with my query.
experts, please help
This is the sample code

 <label>Summary</label>
 <fieldset> 
 <input type="dropdown" token="sources">
    <label>Select Your Source</label>
    <populatingSearch fieldForValue="source" fieldForLabel="source">
     index=main sourcetype=pc_log |top source|rex mode=sed field=source  "s/\\\{1}/\\\\\//g" |rex mode=sed field=source  "s/\///g" |fields source
    </populatingSearch>
      <choice value="NULL">Select Your Log File From the Given Options</choice>
 </input>
  </fieldset>

     <row>
         <single>
       <searchString>
           index=main sourcetype=pc_log source=$sources$ |top name processid |eval x=mvzip(name,processid)|table x
   </searchString>
               <drilldown>
          <link>/app/Sessionapp/flashtimeline?q=source=$form.sources$|search name=*</link>
           </drilldown>
        <option name="beforeLabel">Session,PID</option>
       <option name="height">30px</option>
         </single> 

    </row>
        <row>
    <html>
        <div style="background-color:#E9EBFA;">
            <h1><u><center> Configuration</center></u></h1>
       </div> 
      </html>
     </row>
      <row>
          <table><title> PARAMETERS: </title>
   <searchString>
          index=main sourcetype=log source=$sources$ | search parameter_value=* AND parameter=*|table parameter,parameter_value|rename parameter as Parameter | rename parameter_value as Value
      </searchString>
         </table></row>
          <row>
          <single>
     <searchString>
          index=main source=$sources$ |stats earliest(_time) AS STARTINGTIME latest(_time) AS ENDINGTIME |eval duration = ENDINGTIME - STARTINGTIME| table duration| sec2time infield=duration outfield=duration |rename duration as Duration
           </searchString>
             <option name="beforeLabel">Total Run Duration (HH:MM:SS)  </option>
            <option name="height">30px</option>

       <option name="linkView">/flashtimeline</option>
            <option name="linkSearch">

            search index=main source="$sources$"|transaction startswith="START" endswith="END " maxevents=10000
             </option>
               </single></row>


              <row>
                  <single>
         <searchString>
           index=main source=$sources$ starttime=* | append [search index=main source=$sources$ | search TM_START] | stats earliest(_time) AS STARTINGTIME latest(_time) AS ENDINGTIME |eval duration = ENDINGTIME - STARTINGTIME | table duration | sec2time infield=duration outfield=duration |rename duration as Duration
           </searchString>
          <option name="beforeLabel">Duration(HH:MM:SS) </option>
            <option name="height">30px</option>
           <option name="linkView">/flashtimeline</option>
            <option name="linkSearch">

              search index=main source=* |transaction startswith="blabla" endswith="tadatada" 
           </option>
           </single></row>

            <row>
              <single>
                   <searchString>
                 index=main source=$sources$ TADA | append [search index=main source=$sources$ | search TTAADDAA ] | stats earliest(_time) AS STARTINGTIME latest(_time) AS ENDINGTIME |eval duration = ENDINGTIME - STARTINGTIME| convert ctime(STARTINGTIME) ctime(ENDINGTIME)| sec2time infield=duration outfield=duration| table duration|rename duration as Duration(secs)
            </searchString>
              <option name="beforeLabel">Actual  Duration(HH:MM:SS): </option>
              <option name="height">30px</option>
            <option name="linkView">/flashtimeline</option>
               <option name="linkSearch">

                search index=main source=* |transaction startswith="PETL_24006" endswith="TM_6020" maxevents=7000  
           </option>
                 </single></row>

                    <row>
                  <table>
                      <searchString>
           index=main source=$sources$ eventtype=READER_THREAD  thread_no=*|chart earliest(_time) as atime  latest(_time) as btime by thread_no | appendcols[search index=main source=$sources$ Targetgroup =*| chart  earliest(_time) as aatime latest(_time) as bbtime by Targetgroup ]  |<![CDATA[rex field=Targetgroup "(?<Threadno>\d)"]]> | eval duration = bbtime-atime  | sec2time infield=duration outfield=duration  | rename duration as "Duration(H:M:S)"  |  table  Threadno Targetgroup   Duration(H:M:S)
                  </searchString>
                      <drilldown>
                      <link>/app/Sessionapp/flashtimeline?q=source=$form.sources$ thread_no=$row.Threadno$ OR Target_load_order_group="$row.Targetgroup$" | sort -_time </link>
                   </drilldown>
                       </table></row>

                     <row>
                  <html>
                      <div style="background-color:#E9EBFA;">
                    <h1><u><center> Error Severity</center></u></h1>
                      </div>
               </html>    
                  </row>

                    <row>
                      <chart>
             <searchString>index=main source=$sources$   | chart count over severity | eval red=if(severity=="ERROR",count,0) | eval yellow = if(severity=="DEBUG",count,0) | eval green = if(severity=="INFO",count,0)| fields - count
                   </searchString>
                <drilldown>
              <link>/app/Sessionapp/flashtimeline?q=source=$form.sources$|search severity=$click.value$</link>
          </drilldown>
                 <option name="charting.chart">column</option>
                <option name="charting.chart.stackMode">stacked</option>
             <option name="charting.fieldColors">                         {"red":0xFF0000,"yellow":0xFFFF00,"green":0x73A550}
      </option>

           <option name="charting.legend.placement">none</option>
            <option name="charting.legend.placement">none</option>
         </chart>
       </row>
Tags (2)
0 Karma

jonuwz
Influencer

Are you saying that when you change the dropdown, some of the searches don't run ?

Try adding searchWhenChanged="true" as an attribute to your input declaration

0 Karma

smolcj
Builder

ya exactly. when I change the dropdown/refresh, some of the searches don't run.
i tried as u told, still the issue persist.

0 Karma

smolcj
Builder

i have edited my question with proper intending and code. pls help

0 Karma

Ayn
Legend

Please indent code blocks with 4 spaces, otherwise they will not show properly on this site.

0 Karma

Drainy
Champion

I know I've said this many times but I'll say it once more, you need to post code!
You've obviously not got a search firing or passing its results down somewhere along the way.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...