Data is getting indexed and is visible in events b...

muralisushma7 · ‎01-31-2017

Hi,

I created a dashboard which displays the router information.

All of the data so far indexed is visible through visualization tab. For four of the router's, it is not showing under visualization tab.

This query displays the data in visualization tab:

index="itscebu" sourcetype="ncr_cebu_csv" host=* sitename="New-York" tier=tier1 router=rdusnyork010-35-1.corp.Gi0-0-2.2379 | eval date_wday=strftime(_time,"%u") |eval start_e=strptime(start_hour,"%H:%M")|eval start_h=strftime(start_e,"%H:%M")|eval end_e=strptime(end_hour,"%H:%M")|eval end_h=strftime(end_e,"%H:%M")|where time_custom>=start_h AND time_custom=start_wday AND date_wday<=end_wday | eval Intraffic=In/1048576 | timechart span=1h MAX(Intraffic) AS MAXIntraffic ,values("receive_bandwidth") as MAXIN-Bandwidth

whereas this query does not:

index="itscebu" sourcetype="ncr_cebu_csv" host=* sitename="New-York" tier=tier1 router=fusxpowtc1.eth-s4p1 | eval date_wday=strftime(_time,"%u") |eval start_e=strptime(start_hour,"%H:%M")|eval start_h=strftime(start_e,"%H:%M")|eval end_e=strptime(end_hour,"%H:%M")|eval end_h=strftime(end_e,"%H:%M")|where time_custom>=start_h AND time_custom=start_wday AND date_wday<=end_wday | eval Intraffic=In/1048576 | timechart span=1h MAX(Intraffic) AS MAXIntraffic ,values("receive_bandwidth") as MAXIN-Bandwidth

Please help!

Regards,
Sushma.

DalJeanis · ‎01-31-2017

The only difference I see there is the router.

Try this and see if you get any events. If not, then (a) your router is misspelled or is not creating data or possibly (b) your router is in a different tier or the sourcetype is different, or something. Then go find your data.

index="itscebu" sourcetype="ncr_cebu_csv" host=* 
sitename="New-York" tier=tier1 router=fusxpowtc1.eth-s4p1 | head 5

If it DOES return some data, then try this -

index="itscebu" sourcetype="ncr_cebu_csv" host=* 
sitename="New-York" tier=tier1 router=rdusnyork010-35-1.corp.Gi0-0-2.2379 | head 5 
| append [ index="itscebu" sourcetype="ncr_cebu_csv" host=* 
sitename="New-York" tier=tier1 OR router=fusxpowtc1.eth-s4p1 | head 5]
| fillnull value=NULL start_hour end_hour time_custom start_wday end_wday
| table  host _time start_hour end_hour time_custom start_wday end_wday
| sort host _time

If any field comes up in that table with the word "NULL" for the s4p1 router data,
and NOT for the other one, you have your culprit field. Somehow that field is
getting populated for one router and not the other.

muralisushma7 · ‎01-31-2017

Hi,

For the first query, I did not get any output. It displayed as "No results found".

For the second query, it displayed as Unknown search command index.

fusxpowtc1 gets indexed and events are visible, but it is not displaying in the dashboard. Where can I check

to see the logs for dashbaord. Hope I could see some error or warning over there, based on which we can

rectify.

Regards,
Sushma.

muralisushma7 · ‎02-02-2017

Hi,

I was able to figure out the issue. It was because while indexing the folder, I have mentioned a regular expression for host field as (?\w+-\d+-\d.+). and a spearate index for it.This does not match with the router name fusxpowtc1.eth-s4p1.csv where as it macthes with the other routers. Hence I guess , this is the reason for it not displaying the data in dashboard .

Hence as a next step I created a separate folder with 4 values in it (two with the fusx names and two with the rdaedu.. names)changed the expression to (?\w+) and tried to index into same location.
But search results show nothing. Do you think problem is with my regular expression or problem with indexing of new data?

Please help!

Regards,
Sushma.

Data is getting indexed and is visible in events but it does not appear in the dashboard created by me.

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk