- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Timechart giving incorrect results when used with ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I've a simple query as shown below to display the column chart over time.
MY_QUERY:
index=my_index sourcetype="my_log" loginClicked | timechart count
Here, I'm looking for loginClicked line in the logs & displaying its count over time.
I also added the drop-down using advanced XML as shown below:
<module name="HiddenSearch" layoutPanel="panel" group="Number Of Login Clicks" autoRun="True">
<module name="TimeRangePicker">
<param name="searchWhenChanged">True</param>
<param name="selected">Last 24 hours</param>
<module name="HiddenSavedSearch" autoRun="True">
<param name="savedSearch">MY_QUERY</param>
<module name="HiddenChartFormatter">
<param name="chart">column</param>
<param name="primaryAxisTitle.text">Time</param>
<module name="FlashChart">
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
When I was testing it for "Last 7 days", the count was coming up very high around 1000 & I've total 120 occurrences of loginClicked keyword in the log.
Can you please point out what's wrong with timechart?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can think of two possibilities.
1) If you have scheduled that saved search, then you would normally get an error message displayed saying that the TimeRangePicker's timerange is not allowed to override the scheduled saved search time range. If you then had no Message module in the view it's possible you wouldn't see this error message. However if your search isnt scheduled and has never been scheduled this won't be the culprit.
2) You have two autoRun="True" attributes. You should never do this because it can potentially create an inconsistent state like this. Each autoRun="True" has an effect much like if the user clicked a 'submit button' right there when the page loads. When there are two such attributes, you have two clicks. Depending on which one runs first and how the http requests are aborted, cached data can gum up the system and one effect on a view such as this can be that the timerange is ignored. Try removing the autoRun="true" on your HiddenSavedSearch and leave only the one higher up.
On a side note, it's very strange that you have a HiddenSearch module with no 'search' param. You can remove that module entirely (and move its autoRun to the TimeRangePicker). I think normally this would generate a big red error message in the view saying that the search param is required. If you're not seeing such an error it may be because your view lacks a Message module; if that's the case you should definitely give it one; if there are error messages about configuration problems you always want to see them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can think of two possibilities.
1) If you have scheduled that saved search, then you would normally get an error message displayed saying that the TimeRangePicker's timerange is not allowed to override the scheduled saved search time range. If you then had no Message module in the view it's possible you wouldn't see this error message. However if your search isnt scheduled and has never been scheduled this won't be the culprit.
2) You have two autoRun="True" attributes. You should never do this because it can potentially create an inconsistent state like this. Each autoRun="True" has an effect much like if the user clicked a 'submit button' right there when the page loads. When there are two such attributes, you have two clicks. Depending on which one runs first and how the http requests are aborted, cached data can gum up the system and one effect on a view such as this can be that the timerange is ignored. Try removing the autoRun="true" on your HiddenSavedSearch and leave only the one higher up.
On a side note, it's very strange that you have a HiddenSearch module with no 'search' param. You can remove that module entirely (and move its autoRun to the TimeRangePicker). I think normally this would generate a big red error message in the view saying that the search param is required. If you're not seeing such an error it may be because your view lacks a Message module; if that's the case you should definitely give it one; if there are error messages about configuration problems you always want to see them.
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
