I have the following Splunk query that I have used in a dashboard:
[search source="Stg" earliest=-15d cs_uri_token_2="0012c" cs_uri_filepath="web/mapservicecontroller*"| stats avg(time_taken) by cs_uri_filepath | sort - avg(time_taken) | head 10 | fields + cs_uri_filepath] | timechart span=1d avg(time_taken) by cs_uri_filepath
Above query returns the data when I run it in the search view. But when used in a dashboard, for some reason, Splunk seems to be appending an extra keyword 'Search' to the query. The query looks like:
search [search source="Stg" earliest=-15d cs_uri_token_2="0012c" cs_uri_filepath="web/mapservicecontroller*"| stats avg(time_taken) by cs_uri_filepath | sort - avg(time_taken) | head 10 | fields + cs_uri_filepath] | timechart span=1d avg(time_taken) by cs_uri_filepath
The above query does not return any data and hence the dashboard does not display the graph. Also, I do not face this issue when I have my dashboard designed for single panel that uses the query that I have mentioned in the beginning of the post. The moment I add 2-3 panels(even if all the panels use same query) in my dashboard, the query gets modified to add extra 'Search' keyword. Has anyone faced this issue before and knows how to get rid of it?
Actually, although you're not typing in the 'search' command into the search UI, it does put on there under the hood.
I think you're comparing apples and oranges -- what you see in the search bar (with no search), to the search that the dashboards kick off, which has a leading search command.
You can verify this by looking at the search that the search UI is kicking off - that'll have a search too even though you didnt put one there.
So it's something else causing the difference.
As far as working around the problem -- I agree with Paolo - I dont see the benefit of using a subsearch here - it'll be more straightforward and it'll run faster if you just do the same processing in the main search.
If letting timechart calculate the top 10 values doesnt work for you, you can make more advanced determinations by using streamstats to put aggregate statistics on the events themselves and then using search
or where
to compare and filter each event row before it gets to the timechart.
Hi, is your intention to only timechart the 10 cs_uri_filepath which have the greatest avg(time_taken)? In that case I think you could replace your query with:
source="Stg" earliest=-15d cs_uri_token_2="0012c" cs_uri_filepath="web/mapservicecontroller*"
| timechart span=1d agg=sum useother=false limit=10 avg(time_taken) by cs_uri_filepath