Dashboards & Visualizations

SIngle value visalisation is not working using sub search

marellasunil
Communicator

I am trying to build single value visualisation using search & sub search, But it is not working.

<dashboard>
  <label>SImple dashboard</label>
  <search id="search1"> <query>earliest=-60m latest=now  index=XXXXXX </query> </search>
<row>
    <panel>
      <single>
        <title>Successfull Logins</title>
        <search base="search1">
          <query> where like(sourcetype, "XXXXXX") |  stats count as Total</query>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">all</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xd93f3c","0x65a637"]</option>
        <option name="rangeValues">[0]</option>
        <option name="showSparkline">0</option>
        <option name="showTrendIndicator">0</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="underLabel">TOtal</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>     
</dashboard>

juansegovia
Engager

I'm having the exact issue. The trend visualization on the single item panel works with the full search but it just shows a flat line when using a base search.

0 Karma

sundareshr
Legend

Try changing you base search and postprocess search like this

base search:

earliest=-60m latest=now  index=XXXXXX | stats count by sourcetype

postprocess search

| search sourcetype="*XXXXXX*"
0 Karma

inventsekar
SplunkTrust
SplunkTrust

actually, this one works fine.

please run this query on search and see if it returns any events -
earliest=-30m latest=now index=XXXX | where like(sourcetype, "ABC") | stats count as Total

0 Karma

marellasunil
Communicator

I Am getting number (8).

Even after opening the dashboard, IF i click search icon below dashboard view, Full splunk search is running and getting the result (8)

But in the dashboard view single value visualisation, the value showing is 0 (zero)

0 Karma
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...