danotorrey
commented
1 year ago @dennisoelkers is investigating further with the content pack export looking for a potential workaround or fix.
Closed danotorrey closed 1 year ago
danotorrey
commented
1 year ago @dennisoelkers is investigating further with the content pack export looking for a potential workaround or fix.
[HS 1317645421]
Overview
When attempting to export a dashboard (or the individual widgets within the dashboard) to CSV format, the resulting export is blank (a zero byte file is produced). The dashboard does show results before attempting the export (so we would expect the export to also include the results).
When using the Replay Search feature (to run the search again from the Search page), the query produces results.
Possible Cause
From some additional investigation by @ryan-carroll-graylog:
I was able to reproduce this with the provided dashboard. It looks like when exporting from the dashboard search widget, the query that gets executed on the search backend it getting changed from event_code:4625 OR EventID:4625 to event_code:4625 OR EventID:4625 AND event_code:4625 OR EventID:4625.
I traced the fork in the execution between exporting form the dashboard vs exporting from the search replay to here:
https://github.com/Graylog2/graylog2-server/blob/237fa479a272d8d045461d741285c166de73b258/graylog2-server/src/main/java/org/graylog/plugins/views/search/export/CommandFactory.java#L134
Where it looks like the extra
AND event_code:4625 OR EventID:4625is being added for the dashboard export, vs here for the search page:https://github.com/Graylog2/graylog2-server/blob/237fa479a272d8d045461d741285c166de73b258/graylog2-server/src/main/java/org/graylog/plugins/views/search/export/CommandFactory.java#L136
We get a different searchType provided for the different export locations witch looks to be what's driving this but I still don't understand what the SearchTypes mean or are for.
Steps to Reproduce (for bugs)
The user has provided a content pack, which can reproduce the issue.
Environment