Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Chart not plotting in dashboard

RNB
Path Finder
‎06-21-2011 07:33 AM

I am using Splunk 4.2.1, build 98164. I am creating simple multi-panel dashboards and not all charts in the dashboard are being plotted. For example, one dashboard uses two graphs and one event_viewer. The graph that does not plot uses the same saved search as the event_viewer panel, and of course there is lots of data returned in the event_viewer panel. Therefore, there should be lots of data points for the graph to plot.

This is not the only dashboard I am experiencing this issue with, and clicking on "View results" displays search results that should be plotted. I am also observing that some panels plot data intermittently, where sometimes I will see plotted graphs for a while, and then for a majority of the time, the graph will be blank, not plotted when there are search results that should be plotted.

I am experiencing this issue in both InterNet Explorer 9 and Firefox 3.6.16. Any ideas?

<?xml version='1.0' encoding='utf-8'?>




Ticket 39219
PCI Zone to 192.168.153.59


Dashboard - Drop Rate Exceeded
Drop Rate Exceeded
all




Ticket 39219
Details


Additional information:

I have moved the charts so they are no longer side by side, one is on top of the other. The chart that is not displaying results actually plots and you can see the results for a fraction of a second before the chart becomes becomes blank. The second chart continues to display the plotted data.

Search strings after the colon:

Ticket 39219: (192.168.153.59 NOT (search))

Dashboard - Drop Rate Exceeded: ( "drop rate" NOT ("search"))

Nick put me on to something:

For the chart panel, I replaced the saved search to an inline search that used the string:

(192.168.153.59 NOT (search)) | timechart count

This is producing a plotted chart consistently so far. Now the other chart is not plotting, but I will use the same method.

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

Paolo_Prigione
Builder
‎06-21-2011 08:38 AM

Hi RNB,
some things I've noticed:

  1. Any Splunk chart expects data in a specific format, which is specified in the Charting Reference page. A <chart> panel won't generally plot a list of events, as nick noted. You should have a command such as stats or timechart to prepare data for plotting. Maybe this is the reason why you don't get any chart.

  2. In case you have missing data points and you are using line or area charts, splunk will not show you those points in a line chart. You've got to tell it how to deal with those gaps, which is the following option: <option name="charting.nullValueMode">(accepted values: gaps, zero, and connect)</option>, to be put between the <chart> and </chart> tags.

  3. If possible, add markes to line charts in oder to visualize data points which are not connected to anything else: <option name="charting.showMarkers
    ">true</option>

As a personal suggestion, try to manually run your saved search and see whether, on the rightmost part of the screen over the list of returned events/results, you have a "show report" or "build report" button:

  • the former means your data can aleady be plotted: open the report viewer and play with the settings at wish
  • the latter means your data is not yet suitable for charting, so you will need some repoting command (top, stats, timechart,... therefore to post process the search results)

Cheers!
Paolo

View solution in original post

Reply
Solved! Jump to solution

giovere
Path Finder
‎10-20-2014 02:24 AM

If charting.nullValueMode does not work for you try:

<option name="charting.chart.nullValueMode">value...</option>
0 Karma
Reply
Solved! Jump to solution
Solution

Paolo_Prigione
Builder
‎06-21-2011 08:38 AM

Hi RNB,
some things I've noticed:

  1. Any Splunk chart expects data in a specific format, which is specified in the Charting Reference page. A <chart> panel won't generally plot a list of events, as nick noted. You should have a command such as stats or timechart to prepare data for plotting. Maybe this is the reason why you don't get any chart.

  2. In case you have missing data points and you are using line or area charts, splunk will not show you those points in a line chart. You've got to tell it how to deal with those gaps, which is the following option: <option name="charting.nullValueMode">(accepted values: gaps, zero, and connect)</option>, to be put between the <chart> and </chart> tags.

  3. If possible, add markes to line charts in oder to visualize data points which are not connected to anything else: <option name="charting.showMarkers
    ">true</option>

As a personal suggestion, try to manually run your saved search and see whether, on the rightmost part of the screen over the list of returned events/results, you have a "show report" or "build report" button:

  • the former means your data can aleady be plotted: open the report viewer and play with the settings at wish
  • the latter means your data is not yet suitable for charting, so you will need some repoting command (top, stats, timechart,... therefore to post process the search results)

Cheers!
Paolo

Reply
Solved! Jump to solution

RNB
Path Finder
‎06-21-2011 08:31 AM

I have changed the searches from saved searches to inline searches. This was done to test the modified searches without modifying the saved searches. I have added "| timechart count" to the inline search strings and I am getting the desired results consistently.

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎06-21-2011 08:14 AM

Can you post the actual search language of the "Ticket 39219" search as well? In general searches that return events and do not have another command in them like 'stats' or 'timechart' are not directly chartable in the Flash Chart.

0 Karma
Reply
Solved! Jump to solution

RNB
Path Finder
‎06-21-2011 07:47 AM

<?xml version='1.0' encoding='utf-8'?>




Ticket 39219
PCI Zone to 192.168.153.59


Dashboard - Drop Rate Exceeded
Drop Rate Exceeded
all




Ticket 39219
Details


The panel "Ticket 39219" is the panel that is most often blank.

0 Karma
Reply
Solved! Jump to solution

RicoSuave
Builder
‎06-21-2011 07:43 AM

Can you please post the xml for your dashboard? i ran into similar issues with 4.2 and found a bug where single value modules won't render when combined in the same panel as another chart.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...