问题描述
我有一个使用基本搜索的仪表板,以及其他四个引用此信息并根据我要使用的图表对结果进行格式设置的面板。
当我自己运行基本查询时,它会按预期返回数据。
基本查询:
index=mail sourcetype=barracuda bcProcess="outbound/smtp"
[ search index=mail sourcetype=barracuda
[ search index=mail sourcetype=sendmail_syslog msgid="<*@sfdc.net>"
| rex field=from "<(?<bcSender>.*)>"
| stats count by bcSender
| fields bcSender
| format
]
| stats count by bcMsgid
| fields bcMsgid
]
<search base="main_results">
<query>
| stats count(bcMsgid) as total
</query>
</search>
<search base="main_results">
<query>
| timechart span=1h count AS "Total Sends"
</query>
</search>
在引用基本查询时,上述两个面板都可以正常工作。
我遇到的问题在饼图中。
<panel>
<chart>
<title>Send Action Breakdown</title>
<search base="main_results">
<query>| rename bcSendAction as "Send Action"
| chart count as Total by "Send Action"
| eval "Send Action"="Send Action"." (".Total.")"
| replace 1 WITH "Success",2 WITH "Block",3 WITH "Deferral" IN "Send Action"</query>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="height">460</option>
<option name="refresh.display">progressbar</option>
<option name="charting.chart.showPercent">true</option>
</chart>
</panel>
仪表板尝试加载此面板时,它始终返回“未找到结果”。 但是,如果我将基本查询复制到搜索中,然后从该面板的正下方粘贴该查询,则会得到预期的结果。
问题:
当我可以手动粘贴两个部件并且运行良好时,为什么该面板使用相同的基本查询会遇到获取数据的问题?
赏金明细更新: 我的仪表板有4个面板,其中3个几乎使用相同的搜索查询,这就是为什么我试图设置基本搜索以便他们都可以引用的原因。
这是我对4个面板的4个单独搜索,如果它有助于显示我如何尝试将其拆分以使我的底座正常工作。
// Total Emails Sent
index=mail sourcetype=barracuda bcProcess="outbound/smtp"
[ search index=mail sourcetype=barracuda
[ search index=mail sourcetype=sendmail_syslog msgid="<*@sfdc.net>"
| rex field=from "<(?<bcSender>.*)>"
| stats count as Total by bcSender
| fields bcSender
| format
]
| stats count as Total by bcMsgid
| fields bcMsgid,bcSendAction
]
| stats count(bcMsgid) as total
// Emails per hour
index=mail sourcetype=barracuda bcProcess="outbound/smtp"
[ search index=mail sourcetype=barracuda
[ search index=mail sourcetype=sendmail_syslog msgid="<*@sfdc.net>"
| rex field=from "<(?<bcSender>.*)>"
| stats count as Total by bcSender
| fields bcSender
| format
]
| stats count as Total by bcMsgid
| fields bcMsgid,bcSendAction
]
| bin _time as hour span=1h
| stats count as hourcount by hour
| eval hour=strftime(hour,"%H:%M")
| chart sum(hourcount) as count by hour
// Top 10 Senders
index=mail sourcetype=sendmail_syslog msgid="<*@sfdc.net>"
| rex field=from "<(?<bcSender>.*)>"
| stats count as Total by bcSender
| rename bcSender as "From Address"
| sort -Total | head 10
// Action Breakdown
index=mail sourcetype=barracuda bcProcess="outbound/smtp"
[ search index=mail sourcetype=barracuda
[ search index=mail sourcetype=sendmail_syslog msgid="<*@sfdc.net>"
| rex field=from "<(?<bcSender>.*)>"
| stats count as Total by bcSender
| fields bcSender
| format
]
| stats count as Total by bcMsgid
| fields bcMsgid,bcSendAction
]
| stats count as Total by bcSendAction
| rename bcSendAction as Action
| replace 1 WITH "Success",3 WITH "Deferral" IN Action
| eval "Action"=Action." (".Total.")"
解决方法
在基本 bcSendAction 语句的饼图中包含您需要的字段 | fields。假设基本搜索以 FAST 模式运行。任何未在基础中明确调用的字段将无法用于后处理搜索。