For the life of me I cannot figure out why a panel that is doing an inline search displayed as a chart does not show all (or any for that matter) of the results that come up when I click view results. I specifically set the time for -90days to see a 3 month interval. The bar chart or column chart I think it is will show several days at the most with no data... and then when i click view results I see it pulled up in search mode with several results that just were not graphed.
Does it matter that my free trial license is over limit on indexing? I know we dont do 500mb a day of data.. but this initial indexing has me 250% over the limit. I have asked about purchasing a license but it is not something I am going to proceed with unless I can figure out the cause of this issue.
~Matt
Can you paste in the search that you're using? Not all search results are chartable, so if it's literally displaying nothing in the chart and something when you click 'view results', that's my guess. If you paste in the search or a close analogue thereof I'll be able to tell you what the problem is.
And no in your case it shouldn't matter that you went over your your license limit recently.
UPDATE: your search Authentication Failure
will indeed match events, but the charting stuff cannot do anything with raw events; you need to use a reporting command in your search.
If you change the search to be
Authentication Failure | timechart count
then it will show the frequency of those events over time.
Likewise if you had a field extracted called 'username', then you could do this:
Authentication Failure | timechart count by username
which would break the same graph down by username, or
Authentication Failure | top 50 username
which would show the top 50 usernames with authentication failures overall.
Can you paste in the search that you're using? Not all search results are chartable, so if it's literally displaying nothing in the chart and something when you click 'view results', that's my guess. If you paste in the search or a close analogue thereof I'll be able to tell you what the problem is.
And no in your case it shouldn't matter that you went over your your license limit recently.
UPDATE: your search Authentication Failure
will indeed match events, but the charting stuff cannot do anything with raw events; you need to use a reporting command in your search.
If you change the search to be
Authentication Failure | timechart count
then it will show the frequency of those events over time.
Likewise if you had a field extracted called 'username', then you could do this:
Authentication Failure | timechart count by username
which would break the same graph down by username, or
Authentication Failure | top 50 username
which would show the top 50 usernames with authentication failures overall.
Nick! Your my hero! So the charts that show up when you perform a regular search... have built in reporting language thats not used when you build a dashboard... Thank you thank you thank you!
thats the xml from the dashboard i am using... only thing I have done on my own is add the refresh in really. I just want it to continually display any new authentication errors so that I can react to them in a reasonable amount of time.
<?xml version='1.0' encoding='utf-8'?>
all
all
Currently I am running an inline search... before i had a saved search and I was concerned that that was the problem
When I click edit dashboard I can then go to panel layout and click edit panel...
Doing an inline search string for Authentication Failure no quotes or anything just those two words...
I had earliest time set to some nonsense but just taking that out it looks like the graph goes back to March 13th now... (not showing any data but at least the date range is somewhat better. When I click on show results I have Authentication Failures showing up in my logs from yesterday.