Hello.
The problem is that dashboards not show any data.
I have:
Common Information Model Add-on
Accelerations on the Network_Traffic data model
Field extractions and tags on my network traffic events are correct (or not, but I can see data in Network_Traffic data model by Pivot)
Have you accelerated the Network_Traffic data model? You can run the following to test:
| tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic
This should be run over the time range you for which you would like to see reports. This will give you a count of the number of events present in the accelerated data model. If that number is zero, there there is nothing in there, so the accelerations have either not been configured, or have not completed. If the number seems like it may be accurate for the number of events you expect to see, then there is something else going on.
Thanks,
Dave
Have you accelerated the Network_Traffic data model? You can run the following to test:
| tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic
This should be run over the time range you for which you would like to see reports. This will give you a count of the number of events present in the accelerated data model. If that number is zero, there there is nothing in there, so the accelerations have either not been configured, or have not completed. If the number seems like it may be accurate for the number of events you expect to see, then there is something else going on.
Thanks,
Dave
Yeap, I accelerated the Network_Traffic.
This results was by 1 sec - http://prntscr.com/hmk6zq
And this is on the same search head as the Network Traffic App? can you post some screenshots of the particular dashboard you are having issues with?
Yeap. http://prntscr.com/hmm3e6
http://prntscr.com/hmm1m4 - such results with all dashboards of Network Traffic App
http://prntscr.com/hmm4vo - maybe the problem with macros?
From that screenshot, it looks like some of your fields may not be mapped correctly, but it's a hard thing to try to fix over answers. What kind of results do you get if you run:
| tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic by All_Traffic.action
vs
| tstats summariesonly=true allow_old_summaries=false count from datamodel=Network_Traffic by All_Traffic.action
From those, it looks like there are two things:
network_traffic_tstats
and network_traffic_tstats_pre
to include the allow_old_summaries=true
at the end (it defaults to false, but if your DMAs are rebuilding or in process, setting it to true
can help display data in a more prompt manner. oh, now it's looks better 😆
http://prntscr.com/hmn91e
http://prntscr.com/hmn9y3
http://prntscr.com/hmncjc
http://prntscr.com/hmncxb
http://prntscr.com/hmnd7f
http://prntscr.com/hmnev0
http://prntscr.com/hmnf80
http://prntscr.com/hmnhzz
and ye, i need fix some fields. What should i do to fix it?
And can you more detail explain me why it works with allow_old_summaries=true
and not work by default macros?
To fix the fields you will need to fix the field extractions in the source data.
For the allow_old_summaries
argument, from the docs page for tstats:
To return results from summary
directories only when those
directories are up-to-date, set this
parameter to false. If the data model
definition has changed, summary
directories that are older than the
new definition are not used when
producing output from tstats. This
default ensures that the output from
tstats will always reflect your
current configuration. When set to
true, tstats will use both current
summary data and summary data that was
generated prior to the definition
change. Essentially this is an
advanced performance feature for cases
where you know that the old summaries
are "good enough".