Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timechart giving incorrect results when used with TimeRangePicker drop-down

freephoneid
Path Finder
‎10-04-2011 11:38 AM

Hi,

I've a simple query as shown below to display the column chart over time.

MY_QUERY:
index=my_index sourcetype="my_log" loginClicked | timechart count

Here, I'm looking for loginClicked line in the logs & displaying its count over time.

I also added the drop-down using advanced XML as shown below:

 <module name="HiddenSearch" layoutPanel="panel" group="Number Of Login Clicks" autoRun="True">
<module name="TimeRangePicker">
  <param name="searchWhenChanged">True</param>
  <param name="selected">Last 24 hours</param>
  <module name="HiddenSavedSearch" autoRun="True">
    <param name="savedSearch">MY_QUERY</param>
    <module name="HiddenChartFormatter">
      <param name="chart">column</param>
      <param name="primaryAxisTitle.text">Time</param>
      <module name="FlashChart">
        <module name="ConvertToDrilldownSearch">
          <module name="ViewRedirector">
            <param name="viewTarget">flashtimeline</param>
          </module>
        </module>
      </module>
    </module>
  </module>
</module>

When I was testing it for "Last 7 days", the count was coming up very high around 1000 & I've total 120 occurrences of loginClicked keyword in the log.

Can you please point out what's wrong with timechart?

Thanks!

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎10-07-2011 11:36 AM

I can think of two possibilities.

1) If you have scheduled that saved search, then you would normally get an error message displayed saying that the TimeRangePicker's timerange is not allowed to override the scheduled saved search time range. If you then had no Message module in the view it's possible you wouldn't see this error message. However if your search isnt scheduled and has never been scheduled this won't be the culprit.

2) You have two autoRun="True" attributes. You should never do this because it can potentially create an inconsistent state like this. Each autoRun="True" has an effect much like if the user clicked a 'submit button' right there when the page loads. When there are two such attributes, you have two clicks. Depending on which one runs first and how the http requests are aborted, cached data can gum up the system and one effect on a view such as this can be that the timerange is ignored. Try removing the autoRun="true" on your HiddenSavedSearch and leave only the one higher up.

On a side note, it's very strange that you have a HiddenSearch module with no 'search' param. You can remove that module entirely (and move its autoRun to the TimeRangePicker). I think normally this would generate a big red error message in the view saying that the search param is required. If you're not seeing such an error it may be because your view lacks a Message module; if that's the case you should definitely give it one; if there are error messages about configuration problems you always want to see them.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎10-07-2011 11:36 AM

I can think of two possibilities.

1) If you have scheduled that saved search, then you would normally get an error message displayed saying that the TimeRangePicker's timerange is not allowed to override the scheduled saved search time range. If you then had no Message module in the view it's possible you wouldn't see this error message. However if your search isnt scheduled and has never been scheduled this won't be the culprit.

2) You have two autoRun="True" attributes. You should never do this because it can potentially create an inconsistent state like this. Each autoRun="True" has an effect much like if the user clicked a 'submit button' right there when the page loads. When there are two such attributes, you have two clicks. Depending on which one runs first and how the http requests are aborted, cached data can gum up the system and one effect on a view such as this can be that the timerange is ignored. Try removing the autoRun="true" on your HiddenSavedSearch and leave only the one higher up.

On a side note, it's very strange that you have a HiddenSearch module with no 'search' param. You can remove that module entirely (and move its autoRun to the TimeRangePicker). I think normally this would generate a big red error message in the view saying that the search param is required. If you're not seeing such an error it may be because your view lacks a Message module; if that's the case you should definitely give it one; if there are error messages about configuration problems you always want to see them.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...