Dashboard returning incomplete results

beaunewcomb · ‎07-25-2012

I have a multi-chart dashboard using to generate graphs. Splunk only returns 10-13k events so the data is incomplete. This happens regardless of what I set the timeframe to. If I run the same queries on the search line, or just do a regular dashboard without form, all events come back.

    <?xml version='1.0' encoding='utf-8'?>
<form>
 <label>Event Volume Stats</label>
 <searchTemplate>`dp` environment=$environment$ <!--object=*--></searchTemplate>  
 <fieldset>
  <input type="dropdown" token="environment">
   <label>Environment</label>
      <choice value="*">All</choice>
      <populatingSearch fieldForValue="environment" fieldForLabel="environment">
           <![CDATA[earliest=-15min latest=now `dp` 
            | stats count by environment]]>
      </populatingSearch>
   </input>

<!--   <input type="dropdown" token="object">
     <label>Object</label>
     <choice value="*">All</choice>
     <populatingSearch fieldForValue="object" fieldForLabel="object">
        <![CDATA[earliest=-1h latest=now `dp` 
         | stats count by environment]]>
     </populatingSearch>
   </input>
-->

   <input type="time" />

  </fieldset>

   <row>
    <chart>
      <searchPostProcess>timechart count(environment) AS events BY environment usenull=f</searchPostProcess>
      <title>Volume</title>
      <option name="charting.axisTitleX.text">Time</option>
      <option name="charting.axisTitleY.text">Object Count</option>
      <option name="charting.chart">line</option>
      <option name="charting.chart.nullValueMode">zero</option>
      <option name="charting.primaryAxisTitle.text"/>
      <option name="charting.secondaryAxisTitle.text"/>
    </chart>
  </row>

  <!-- 
  <row>
    <chart>
      <searchPostProcess>timechart count(object) AS events BY object usenull=f</searchPostProcess>
      <title>Volume</title>
      <option name="charting.axisTitleX.text">Time</option>
      <option name="charting.axisTitleY.text">Object Count</option>
      <option name="charting.chart">line</option>
      <option name="charting.chart.nullValueMode">zero</option>
      <option name="charting.primaryAxisTitle.text"/>
      <option name="charting.secondaryAxisTitle.text"/>
    </chart>
  </row>

    <row>
    <table>
      <searchPostProcess>chart count(object) AS events BY object | sort -events</searchPostProcess>
      <title>Object Count</title>
      <option name="dataOverlayMode">heatmap</option>
      <option name="displayRowNumbers">false</option>
      <option name="drilldown">none</option>
    </table>
    <chart>
      <searchPostProcess>chart limit=0 count(object) AS events BY object | sort -events</searchPostProcess>
      <title>Object Count Distribution</title>
      <option name="charting.chart">pie</option>
      <option name="drilldown">none</option>
    </chart>
  </row>
        -->
</form>

fernandoandre · ‎02-19-2013

Hi

I think this can solve you problem:

Please give feedback if it worked.

Dashboard returning incomplete results

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!