Splunk Search

Why is my dashboard panel showing different values from the base report?

robettinger
Explorer

Hi,

I wonder if someone can help me on something. I created a report which runs absolutely fine no matter when I run it. I added the report to a dashboard panel, but now some values are missing.

This is the search string:

index=risk sourcetype=feed_info 
| eval sys1_arrival_time=if(sys1_arrival_time=="NULL", "",sys1_arrival_time ) 
| eval sys2_end_time=if(sys2_end_time=="NULL", "",sys2_end_time ) 
| eval timenow=now() | eval nowstring=strftime(now(), "%Y-%m-%d") 
| eval sys1_exp_time_string=nowstring+" "+tostring(system1_expected_time) 
| eval sys1_exp_time_epoch=strptime(sys1_exp_time_string, "%Y-%m-%d %H:%M:%S") | eval sys1_arrival_time_epoch=strptime(sys1_arrival_time, "%Y-%m-%d %H:%M:%S") 
| eval sys1_status=case(timenow>sys1_exp_time_epoch AND isnull(sys1_arrival_time_epoch), "Late", timenowsys1_exp_time_epoch, "OK (Arrived Late)", sys1_arrival_time_epoch<=sys1_exp_time_epoch, "OK") | eval sys2_exp_time_string=nowstring+" "+tostring(system2_expected_time) 
| eval sys2_exp_time_epoch=strptime(sys2_exp_time_string, "%Y-%m-%d %H:%M:%S") | eval sys2_end_time_epoch=strptime(sys2_end_time, "%Y-%m-%d %H:%M:%S") 
| eval sys2_status=case(timenow>sys2_exp_time_epoch AND isnull(sys2_end_time_epoch), "Late", timenowsys2_exp_time_epoch, "OK (Finished Late)", sys2_end_time_epoch<=sys2_exp_time_epoch, "OK") 
| table value_date,feedname, sys1_exp_time_string,sys1_arrival_time, sys1_status, sys2_exp_time_string,sys2_end_time, sys2_status 
| rename sys1_exp_time_string AS sys1_expected_time, sys2_exp_time_string as "sys2_expected_time"  
| dedup 1 feedname

The different values are the sys1_status and sys2_status. Curiously these two are calculated fields, based on time. I also noticed that the issue happens after 6pm - during the day it works fine.

Faulty Panel: http://s000.tinyupload.com/?file_id=06140936697604993623
Working Report: http://s000.tinyupload.com/?file_id=76794376457864993058

Both screenshots were taken at the same time.

Thanks!

0 Karma

Jarohnimo
Builder

It's probably truncating your results in the dashboard. If you adjust your time span more in your timetable or what have you... it will look even on the display.

I'm sure there's a way to modify slunk truncation rules. Or at least a better work arounds

0 Karma

robettinger
Explorer

Yes, it is truncating results, probably because it's running a fast (instead of a verbose) search. Just don't know how to force a verbose search on dashboard panels...

0 Karma

robettinger
Explorer

Hmmmm... I also noticed that the number of events are less in the dashboard and that the search runs in fast mode. Is there a way to force verbose mode?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...