- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- Why isn't my report PDF showing any results and th...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why isn't my report PDF showing any results and then not delivering the report?
I have created reports to find the license usage by hosts. The report is running to show license usage by hosts for last 4 days. But earlier when the report was delivered it showed no results(it was blank). And now the report was not even delivered while in job inspector it is showing the status as "Done".
The only thing is the Event Count for every report is about "103,291,427" . Is this the reason for the reports showing no data?
What are the possible reasons for this ? or what can be done in order to make the reports work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, your code is like this...
sourcetype=fgt devname=loc1 OR devname=loc2 OR devname=loc3
| eval Bytes=len(_raw)
| eval Date=strftime(_time,"%Y-%m-%d")
| eval GB=(Bytes/(1024*1024*1024))
| chart span=1d sum(GB) over devname by Date limit=0
The above should always give results when the following conditions are true
1) there are events in sourcetype=fgt with devname=loc1 OR devname=loc2 OR devname=loc3
2) field _raw exists in the events.
3) the events have a valid _time.
4) the events are on an index that you have access to read. (YOU SHOULD ALWAYS CODE "index=foo")
5) the search has time to complete.
I suspect the problem is item 5.
To test items 1-4, run this in verbose mode...
sourcetype=fgt with devname=loc1 OR devname=loc2 OR devname=loc3
| head 1
| eval Bytes=len(_raw)
| eval Date=strftime(_time,"%Y-%m-%d")
| eval GB=(Bytes/(1024*1024*1024))
If the above search generates no results, then there is an error in the search code. Perhaps the fields have been renamed since the original search was coded, or perhaps you have lost security access to the index.
If there are results, then verify that Bytes, Date and GB all have valid values. If they do, then the problem is probably that your scheduled search ran out of time before it could complete.
Check the job for messages. I believe you can open the scheduled search (the empty results) and then use the job inspector to look for messages.
There are a couple of ways to extend the search time, but we'll explore your followup question first, since tstats, if workable, is a better use of machine time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) Ensure your system is indexing anything.
2) Please post the code. We can help you figure out whether it is the code or something else.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can we use |tstats command to get the usage by sourcetype?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sourcetype=fgt devname=loc1 OR devname=loc2 OR devname=loc3 | eval Bytes=len(_raw) | eval Date=strftime(_time,"%Y-%m-%d") | eval GB=(Bytes/(1024*1024*1024)) | chart span=1d sum(GB) over devname by Date limit=0
We are using the above query to calculate the license usage by device name for specific locations.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
