I have a dashboard that has been working fine while using Splunk version 5. We just upgraded to 6.2 and the search is not longer displaying data in the chart.
sourcetype="search1" host=host1* | timechart avg(retrans) as "TCP Retransmissions" | eventstats first("TCP Retransmissions") AS FBS | eval "TCP Retransmissions" = 'TCP Retransmissions' - FBS | fields "TCP Retransmissions"
I don't get any errors, but also don't see any data on the chart. If I click open in search, I can see the data.
TCP Retransmissions↕ _time↕
0.000000 2016-07-18 06:37:00
3.000000 2016-07-18 06:38:00
9.000000 2016-07-18 06:39:00
18.000000 2016-07-18 06:40:00
34.000000 2016-07-18 06:41:00
42.000000 2016-07-18 06:42:00
48.000000 2016-07-18 06:43:00
Something Splunk removes x-axis markers when using table and there are too many values. This should fix it
sourcetype="search1" host=$desktop$ | timechart avg(retrans) as "TCP Retransmissions" | eventstats first("TCP Retransmissions") AS FBS | eval "TCP Retransmissions" = 'TCP Retransmissions' - FBS | timechart avg("TCP Retransmissions") as "TCP Retransmissions"
Something Splunk removes x-axis markers when using table and there are too many values. This should fix it
sourcetype="search1" host=$desktop$ | timechart avg(retrans) as "TCP Retransmissions" | eventstats first("TCP Retransmissions") AS FBS | eval "TCP Retransmissions" = 'TCP Retransmissions' - FBS | timechart avg("TCP Retransmissions") as "TCP Retransmissions"
Perfect!!!!!! Works how it used to. Thanks so much. Much appreciated.
Please post your dashboard xml code? I'm guessing it was developed in advanced xml. Even though advanced xml is supported, I would suggest to recreate that in the powerful simple xml of Splunk 6.2.
I created the old dashboard with simple xml. After the upgrade all of my charts worked except a few on one dashboard. Below is one of the broken charts.
<chart>
<searchTemplate>
sourcetype="search1" host=$desktop$ | timechart avg(retrans) as "TCP Retransmissions" | eventstats first("TCP Retransmissions") AS FBS | eval "TCP Retransmissions" = 'TCP Retransmissions' - FBS | fields "TCP Retransmissions"
</searchTemplate>
<title>TCP Retransmissions Totals</title>
<option name="charting.axisTitleX.text">Date</option>
<option name="charting.axisTitleY.text">TCP Retransmissions)</option>
<option name="charting.chart">column</option>
<option name="charting.primaryAxisTitle.text"/>
<option name="count"><![CDATA[addinfo | eval diff = info_max_time - _time
| eval bucket = case(diff <= 86400, "1 day", 86400 < diff AND
diff <= 172800, "2 days", 172800 < diff AND
diff <= 604800, "1 week", 604800 < diff AND
diff <= 1209600, "2 weeks", 1209600 < diff AND
diff <= 2628000, "1 month") | chart count by bucket]]>
</option>
<option name="displayRowNumbers">true</option>
</chart>
And this is a chart that works fine, but similar.
<chart>
<searchTemplate>sourcetype="search1" host=$desktop$ | timechart avg(internal_time) as "Ping Time"</searchTemplate>
<title>Internal Ping Time</title>
<option name="charting.axisTitleX.text">Date</option>
<option name="charting.axisTitleY.text">Ping Time (ms)</option>
<option name="charting.chart">column</option>
<option name="charting.primaryAxisTitle.text"/>
<option name="count"><![CDATA[addinfo | eval diff = info_max_time - _time
| eval bucket = case(diff <= 86400, "1 day", 86400 < diff AND
diff <= 172800, "2 days", 172800 < diff AND
diff <= 604800, "1 week", 604800 < diff AND
diff <= 1209600, "2 weeks", 1209600 < diff AND
diff <= 2628000, "1 month") | chart count by bucket]]>
</option>
<option name="displayRowNumbers">true</option>
</chart>
<chart>
Well I might have it working, but I'm not quite sure why. I tried this:
sourcetype="search1" host=host1 | eventstats last(retrans) AS FBS | eval "TCP Retransmissions" = 'retrans' - FBS |timechart span=1m avg("TCP Retransmissions")
This seems to display the chart correctly, but I'm not sure why I have to move the timechart to the end. Any ideas? also does this search do the same thing as my original?
No it not. The original search was using timechart's output in eventstats, this takes from raw data, so results can be different.
Just saw something weird in your original query. In the last part, you're just selecting "TCP Retransmissions" fields. How would you chart without the _time field. How about you try this query
sourcetype="search1" host=$desktop$ | timechart avg(retrans) as "TCP Retransmissions" | eventstats first("TCP Retransmissions") AS FBS | eval "TCP Retransmissions" = 'TCP Retransmissions' - FBS | table _time "TCP Retransmissions"
That seems to work, but I'm missing the dates. I see the "Date" text at the bottom, I don't see the horizontal days listed on the charts like I see on my other charts. I do see the vertical numbers on the side of the chart ok.
Also I'm not sure how the old chart worked with version 5. Maybe they were more forgiving with my poor splunk searches.
Can you try swapping the search in these two panels? Just wanted to confirm if it's due to data returned by the searches. Also check if this is a typo
<option name="charting.axisTitleY.text">TCP Retransmissions**)**</option>