Dashboards & Visualizations

Dashboard returning incomplete results

beaunewcomb
Communicator

I have a multi-chart dashboard using to generate graphs. Splunk only returns 10-13k events so the data is incomplete. This happens regardless of what I set the timeframe to. If I run the same queries on the search line, or just do a regular dashboard without form, all events come back.

    <?xml version='1.0' encoding='utf-8'?>
<form>
 <label>Event Volume Stats</label>
 <searchTemplate>`dp` environment=$environment$ <!--object=*--></searchTemplate>  
 <fieldset>
  <input type="dropdown" token="environment">
   <label>Environment</label>
      <choice value="*">All</choice>
      <populatingSearch fieldForValue="environment" fieldForLabel="environment">
           <![CDATA[earliest=-15min latest=now `dp` 
            | stats count by environment]]>
      </populatingSearch>
   </input>

<!--   <input type="dropdown" token="object">
     <label>Object</label>
     <choice value="*">All</choice>
     <populatingSearch fieldForValue="object" fieldForLabel="object">
        <![CDATA[earliest=-1h latest=now `dp` 
         | stats count by environment]]>
     </populatingSearch>
   </input>
-->

   <input type="time" />

  </fieldset>

   <row>
    <chart>
      <searchPostProcess>timechart count(environment) AS events BY environment usenull=f</searchPostProcess>
      <title>Volume</title>
      <option name="charting.axisTitleX.text">Time</option>
      <option name="charting.axisTitleY.text">Object Count</option>
      <option name="charting.chart">line</option>
      <option name="charting.chart.nullValueMode">zero</option>
      <option name="charting.primaryAxisTitle.text"/>
      <option name="charting.secondaryAxisTitle.text"/>
    </chart>
  </row>

  <!-- 
  <row>
    <chart>
      <searchPostProcess>timechart count(object) AS events BY object usenull=f</searchPostProcess>
      <title>Volume</title>
      <option name="charting.axisTitleX.text">Time</option>
      <option name="charting.axisTitleY.text">Object Count</option>
      <option name="charting.chart">line</option>
      <option name="charting.chart.nullValueMode">zero</option>
      <option name="charting.primaryAxisTitle.text"/>
      <option name="charting.secondaryAxisTitle.text"/>
    </chart>
  </row>

    <row>
    <table>
      <searchPostProcess>chart count(object) AS events BY object | sort -events</searchPostProcess>
      <title>Object Count</title>
      <option name="dataOverlayMode">heatmap</option>
      <option name="displayRowNumbers">false</option>
      <option name="drilldown">none</option>
    </table>
    <chart>
      <searchPostProcess>chart limit=0 count(object) AS events BY object | sort -events</searchPostProcess>
      <title>Object Count Distribution</title>
      <option name="charting.chart">pie</option>
      <option name="drilldown">none</option>
    </chart>
  </row>
        -->
</form>
Tags (3)
0 Karma

fernandoandre
Communicator

Hi

I think this can solve you problem:

alt text

Please give feedback if it worked.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...