Dashboards & Visualizations

SIngle value visalisation is not working using sub search

marellasunil
Communicator

I am trying to build single value visualisation using search & sub search, But it is not working.

<dashboard>
  <label>SImple dashboard</label>
  <search id="search1"> <query>earliest=-60m latest=now  index=XXXXXX </query> </search>
<row>
    <panel>
      <single>
        <title>Successfull Logins</title>
        <search base="search1">
          <query> where like(sourcetype, "XXXXXX") |  stats count as Total</query>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">all</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xd93f3c","0x65a637"]</option>
        <option name="rangeValues">[0]</option>
        <option name="showSparkline">0</option>
        <option name="showTrendIndicator">0</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="underLabel">TOtal</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>     
</dashboard>

juansegovia
Engager

I'm having the exact issue. The trend visualization on the single item panel works with the full search but it just shows a flat line when using a base search.

0 Karma

sundareshr
Legend

Try changing you base search and postprocess search like this

base search:

earliest=-60m latest=now  index=XXXXXX | stats count by sourcetype

postprocess search

| search sourcetype="*XXXXXX*"
0 Karma

inventsekar
SplunkTrust
SplunkTrust

actually, this one works fine.

please run this query on search and see if it returns any events -
earliest=-30m latest=now index=XXXX | where like(sourcetype, "ABC") | stats count as Total

0 Karma

marellasunil
Communicator

I Am getting number (8).

Even after opening the dashboard, IF i click search icon below dashboard view, Full splunk search is running and getting the result (8)

But in the dashboard view single value visualisation, the value showing is 0 (zero)

0 Karma
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...