Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Dashboard returning incomplete results

beaunewcomb
Communicator
‎07-25-2012 12:43 PM

I have a multi-chart dashboard using to generate graphs. Splunk only returns 10-13k events so the data is incomplete. This happens regardless of what I set the timeframe to. If I run the same queries on the search line, or just do a regular dashboard without form, all events come back. 

    <?xml version='1.0' encoding='utf-8'?>
<form>
 <label>Event Volume Stats</label>
 <searchTemplate>`dp` environment=$environment$ <!--object=*--></searchTemplate>  
 <fieldset>
  <input type="dropdown" token="environment">
   <label>Environment</label>
      <choice value="*">All</choice>
      <populatingSearch fieldForValue="environment" fieldForLabel="environment">
           <![CDATA[earliest=-15min latest=now `dp` 
            | stats count by environment]]>
      </populatingSearch>
   </input>

<!--   <input type="dropdown" token="object">
     <label>Object</label>
     <choice value="*">All</choice>
     <populatingSearch fieldForValue="object" fieldForLabel="object">
        <![CDATA[earliest=-1h latest=now `dp` 
         | stats count by environment]]>
     </populatingSearch>
   </input>
-->

   <input type="time" />

  </fieldset>

   <row>
    <chart>
      <searchPostProcess>timechart count(environment) AS events BY environment usenull=f</searchPostProcess>
      <title>Volume</title>
      <option name="charting.axisTitleX.text">Time</option>
      <option name="charting.axisTitleY.text">Object Count</option>
      <option name="charting.chart">line</option>
      <option name="charting.chart.nullValueMode">zero</option>
      <option name="charting.primaryAxisTitle.text"/>
      <option name="charting.secondaryAxisTitle.text"/>
    </chart>
  </row>

  <!-- 
  <row>
    <chart>
      <searchPostProcess>timechart count(object) AS events BY object usenull=f</searchPostProcess>
      <title>Volume</title>
      <option name="charting.axisTitleX.text">Time</option>
      <option name="charting.axisTitleY.text">Object Count</option>
      <option name="charting.chart">line</option>
      <option name="charting.chart.nullValueMode">zero</option>
      <option name="charting.primaryAxisTitle.text"/>
      <option name="charting.secondaryAxisTitle.text"/>
    </chart>
  </row>

    <row>
    <table>
      <searchPostProcess>chart count(object) AS events BY object | sort -events</searchPostProcess>
      <title>Object Count</title>
      <option name="dataOverlayMode">heatmap</option>
      <option name="displayRowNumbers">false</option>
      <option name="drilldown">none</option>
    </table>
    <chart>
      <searchPostProcess>chart limit=0 count(object) AS events BY object | sort -events</searchPostProcess>
      <title>Object Count Distribution</title>
      <option name="charting.chart">pie</option>
      <option name="drilldown">none</option>
    </chart>
  </row>
        -->
</form>
Tags (3)
0 Karma
Reply

fernandoandre
Communicator
‎02-19-2013 06:51 AM

Hi

I think this can solve you problem:

alt text

Please give feedback if it worked.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...