search

splunk / splunk-tableau-wdc

Splunk Tableau Web Data Connector (WDC) Example
Apache License 2.0
20 stars 13 forks source link

Commands starting with | like mstats or inputlookup #6

Open Sp1ritfire opened 5 years ago

Sp1ritfire commented 5 years ago

Commands in splunk that start the search with | like mstats or inputlookup get earliest and latest time put before by the connector. This then results in an invalid search.

would propose to change splunkConnector.js at the end to 

     }else{
            // Default
            // Searches starting with | are not allowed to have anything before it
            if(baseSearch.trim().startsWith("|")) {
                log("Pipe Found at the beginning");
                _searchSPL = baseSearch;
            } else {
                _searchSPL = earliest_time + latest_time + baseSearch;
            }
        }
        log("Outcome: " + _searchSPL);

        $dropdownSS.append($("<option />").val(search.name).text(search.name).attr( "title", b64EncodeUnicode( _searchSPL )));

splunkConnector.zip

mayurah commented 5 years ago

Thanks for reporting this @Sp1ritfire, I will test it over free time.

Meanwhile if you get a chance, provide us Sample SPL you tried.

Sp1ritfire commented 5 years ago

Thanks a lot @mayurah This was on of the searches I tried to run

| mstats span=1h avg(_value) as util WHERE metric_name IN ("snx.util.in", "snx.util.out") AND index="snx_performance" earliest=-7d latest=now by metric_name interface_id 
| lookup interfaces "ID" as interface_id OUTPUT "Router Name" as router Name as int "Speed In" as speed

This resulted in the following 

earliest=-7d  latest=now 
| mstats span=1h avg(_value) as util WHERE metric_name IN ("snx.util.in", "snx.util.out") AND index="snx_performance" earliest=-7d latest=now by metric_name interface_id 
| lookup interfaces "ID" as interface_id OUTPUT "Router Name" as router Name as int "Speed In" as speed

Sadly this is not a valid search any more:

Error in 'mstats' command: This command must be the first command of a search.

danoe commented 5 years ago

I had that happen with a pivot search. I was able to work around that by extracting the tstats search from it and put it in a saved search. There it will correctly put the time range within the query behind the "pipe" as:

 | where _time > relative_time( now(), "-7d")  
 | where _time < relative_time( now(), "@d")
Sp1ritfire commented 5 years ago

Yeah, i saw this, makes searches with this line really fun to debug ;) | eval datamodel="My Datamodel"

To be honest I prefer to add earliest and latest myself on the right position in these edge cases

EugeneKatz commented 5 years ago

While this is being resolved, the workaround I was able to implement is:

index=fakeindex | append [ | whatever ]

In my case, whatever is loadjob

Sp1ritfire commented 5 years ago

Note that you might want to set maxout if you have more than 50k results https://docs.splunk.com/Documentation/Splunk/4.3/SearchReference/Append