- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Why can I not get a chart to appear using a base s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why can I not get a chart to appear using a base search on my dashboard?
I am attempting to use a base search on my dashboard, but I cannot get the chart to appear. Here is what the XML of the dashboard looks like:
<dashboard>
<search id="Prod1ValidateClaimLast30Min">
<query> index=ssi_app_index TATL message.facets.url=*ValidateClaim* message.facets.url=https://me.myself.com*</query>
<earliest>rt-30m</earliest>
<latest>rt</latest>
</search>
<label>SAP Test</label>
<row>
<panel>
<chart>
<title>Product Median ValidateClaim Last 30 Min, sec</title>
<search base="Prod1ValidateClaimLast30Min">
<query>stats median(message.facets.duration) as ValidationAvg | eval ValidationAvg=round(ValidationAvg/1000,2)</query>
</search>
</chart>
</panel>
</row>
</dashboard>
If I click on the "Open in Search" button from the dashboard then data shows up and the search is concatenated correctly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi SAPrabhakar,
I don't know why Splunk has this behavior that I found many times, maybe it's a Splunk bug and I opened a case to Support some months ago.
Every way, you can use a workaround (or better a "porkaround"!) inserting in your base search an eval command with fields you have to use in the panel's search, in your example:
index=ssi_app_index TATL message.facets.url=*ValidateClaim* message.facets.url=https://me.myself.com* | eval message.facets.duration=message.facets.duration
If you have more fields you have to add each one in the same way.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Your xml code syntax is correct just verify if your search code works well.
Verify if the following search code works :
index=ssi_app_index TATL message.facets.url="*ValidateClaim*" message.facets.url="https://me.myself.com*"|stats median(message.facets.duration) as ValidationAvg | eval ValidationAvg=round(ValidationAvg/1000,2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try adding all the field values in double quotes and also add the field to be used later in second query.
index="ssi_app_index" TATL message.facets.url="ValidateClaim" message.facets.url="https://me.myself.com*"| *table message.facets.duration | fields **
Having said that your query should have worked as well, so try joining base and second stats query together and see if you are getting any results back or not.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are a couple of things I think you should consider with what you are doing here.
- I am not sure you that you can use a real-time search as a base search. I don't see anything in the documentation, but I would be highly skeptical of that approach given the other limitations of base searches.
- You should look at all the things to avoid listed here: http://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/Savedsearches#Post-process_searches. Big one is you should not return raw events in the base search.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
