Splunk Search

Real-time and charts not working in a dashboard

anjafischer
Path Finder

Hello,

I am having trouble to make realt-time charts work uin my current dashboard. I am working with advanced XML and sideview utils and am creating a quite complex search that not only gives me the rsults I want to chart but also calculates me the column assignments that are needed for my HiddenChartFormatter...

this is my search:
system=cics dc="RZ2" | lookup cics_trans_id_lookup.csv cics_trans_id as tran OUTPUT cics_trans_area_name | timechart minspan=5m nullstr="Other" limit=0 dc(cics_trans_area_name) sum(count) sum(cputot) by cics_trans_area_name | foreach dc(cics_trans_area_name)* [eval <>=1] | addtotals dc(cics_trans_area_name)* fieldname=n | eval numbers=mvrange(0,n+1,1) | eval leftColumns=mvjoin(numbers, ",") | eval label="CPU Time [s]" | eval rightColumns=if(label="None","","0,".tostring(n+5)) | eval rightAxisTitle=if(label="None","",",@axisTitleY2") | eval rightAxisLabel=if(label="None","",",@axisLabelsY2") | fields _time, sum(count), sum(cputot), leftColumns, rightColumns, rightAxisTitle, rightAxisLabel | addtotals sum(cputot):* | fields - sum(cputot):*

this results in a table of the following format (each line represents a column):
_time

sum(count): ELAR

sum(count): ELARTEST

sum(count): Mittelfluss
sum(count): NZV
sum(count): Other

sum(count): SYSTEM

leftColumns
rightColumns

rightAxisTitle

rightAxisLabel

Total

when I set an upstream TimeRangePicker to some real-time interval the search works fine if I fill a Pager/SimpleResultsTable with the search results, it also auto-updtaes, just as it should.

However, if I try to populate a chart (JSChart or FlashChart) with the results, they ONLY work for normal times, but not real-time intervals. I even removed my HiddenChartFormatter for debugging purposes, still, the charts do not update, sometimes they disappear but no real-time data gets ever shown, even if I wait for several minutes...

If I fill the above search into Splunk's search app, it works fine, both table and charting, even for real-time periods...

What am I doing wrong here?

0 Karma

anjafischer
Path Finder

Never mind, a ResultsValueSetter module that I used between my real-time search and the HiddenChartFormatter was the culprit. Getting rid of it, fixed everything 😄

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...