- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Dashboards not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello.
The problem is that dashboards not show any data.
I have:
Common Information Model Add-on
Accelerations on the Network_Traffic data model
Field extractions and tags on my network traffic events are correct (or not, but I can see data in Network_Traffic data model by Pivot)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you accelerated the Network_Traffic data model? You can run the following to test:
| tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic
This should be run over the time range you for which you would like to see reports. This will give you a count of the number of events present in the accelerated data model. If that number is zero, there there is nothing in there, so the accelerations have either not been configured, or have not completed. If the number seems like it may be accurate for the number of events you expect to see, then there is something else going on.
Thanks,
Dave
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you accelerated the Network_Traffic data model? You can run the following to test:
| tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic
This should be run over the time range you for which you would like to see reports. This will give you a count of the number of events present in the accelerated data model. If that number is zero, there there is nothing in there, so the accelerations have either not been configured, or have not completed. If the number seems like it may be accurate for the number of events you expect to see, then there is something else going on.
Thanks,
Dave
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeap, I accelerated the Network_Traffic.
This results was by 1 sec - http://prntscr.com/hmk6zq
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And this is on the same search head as the Network Traffic App? can you post some screenshots of the particular dashboard you are having issues with?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeap. http://prntscr.com/hmm3e6
http://prntscr.com/hmm1m4 - such results with all dashboards of Network Traffic App
http://prntscr.com/hmm4vo - maybe the problem with macros?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From that screenshot, it looks like some of your fields may not be mapped correctly, but it's a hard thing to try to fix over answers. What kind of results do you get if you run:
| tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic by All_Traffic.action
vs
| tstats summariesonly=true allow_old_summaries=false count from datamodel=Network_Traffic by All_Traffic.action
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From those, it looks like there are two things:
- The action field is not being extracted properly for the source data
- You should edit the
network_traffic_tstatsandnetwork_traffic_tstats_preto include theallow_old_summaries=trueat the end (it defaults to false, but if your DMAs are rebuilding or in process, setting it totruecan help display data in a more prompt manner.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
oh, now it's looks better 😆
http://prntscr.com/hmn91e
http://prntscr.com/hmn9y3
http://prntscr.com/hmncjc
http://prntscr.com/hmncxb
http://prntscr.com/hmnd7f
http://prntscr.com/hmnev0
http://prntscr.com/hmnf80
http://prntscr.com/hmnhzz
and ye, i need fix some fields. What should i do to fix it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And can you more detail explain me why it works with allow_old_summaries=true and not work by default macros?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To fix the fields you will need to fix the field extractions in the source data.
For the allow_old_summaries argument, from the docs page for tstats:
To return results from summary
directories only when those
directories are up-to-date, set this
parameter to false. If the data model
definition has changed, summary
directories that are older than the
new definition are not used when
producing output from tstats. This
default ensures that the output from
tstats will always reflect your
current configuration. When set to
true, tstats will use both current
summary data and summary data that was
generated prior to the definition
change. Essentially this is an
advanced performance feature for cases
where you know that the old summaries
are "good enough".
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
