Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I Unable to create search

Robert11
Path Finder
‎05-31-2022 07:41 AM

I am in Splunk Enterprise trying to create a Dashboard in the source code.

When I input the below code it says on the UI "Unable to create search" in regards to the User: All section

Is this a user role restriction preventing me from searching all users or something else? It does not have any errors in the edit source page.

Below Code:

<form theme="dark">
<label>Splunk Search Activity</label>
<fieldset submitButton="true" autoRun="false">
<input type="time" token="time1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="radio" token="exclude1" searchWhenChanged="true">
<label>Splunk System User</label>
<choice value="user!=splunk-system-user">exclude</choice>
<choice value="*">include</choice>
<default>user!=splunk-system-user</default>
<initialValue>user!=splunk-system-user</initialValue>
</input>
<input type="multiselect" token="user1">
<label>User:</label>
<fieldForLabel>user1</fieldForLabel>
<fieldForValue>user</fieldForValue>
<search>
<query>index=_audit action=search
search!="'typeahead*" $exclude1$ | stats count by user</query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
</search>
<choice value="*">all</choice>
<default>*</default>
<initialValue>*</initialValue>
<delimiter> </delimiter>
</input>
<input type="text" token="filter1">
<label>Search Filter:</label>
<default>*</default>
<initialValue>*</initialValue>
<prefix>"*</prefix>
<suffix>*"</suffix>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=_audit action=search search!="'typeahead*" user="$user1$" search=$filter1$ $exclude1$
| stats count by _time user search total_run_time search_id app event_count
| sort -_time</query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-31-2022 08:09 AM

Check if you've access to index=_audit. (Login as Admin, Settings-> Roles -> Role of UserInQuestion -> Indexers). Its not included by default for non-admin users.

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-31-2022 08:14 AM 
<input type="multiselect" token="user1">
<label>User:</label>
<fieldForLabel>user1</fieldForLabel>
<fieldForValue>user</fieldForValue>
<search>
<query>index=_audit action=search
search!="'typeahead*" $exclude1$ | stats count by user</query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
</search>
<choice value="*">all</choice>
<default>*</default>
<initialValue>*</initialValue>
<delimiter> </delimiter>
</input>

<fieldForLabel>user1</fieldForLabel> This field is not returned by your query | stats count by user

Reply
Solved! Jump to solution

Robert11
Path Finder
‎05-31-2022 08:18 AM

@ITWhisperer  Does that mean I need to modify the query or have that index=_audit added to my account privileges? Why is that field not being returned by the query? This specific dashboard is rated highly on GoSplunk with no comments of failure so I am not sure why that query wouldn't work on my Splunk Enterprise when it worked for others. Thank you.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-31-2022 08:40 AM

If this dashboard as defined is working for others, then I suspect the fieldForLabel will be using the value in the fieldForValue is the field doesn't exist. In that case, it is more likely to be that you don't have permissions to access the index as @somesoni2 has already pointed out.

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-31-2022 08:09 AM

Check if you've access to index=_audit. (Login as Admin, Settings-> Roles -> Role of UserInQuestion -> Indexers). Its not included by default for non-admin users.

Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...