Splunk Search

Why is my column chart not displaying any data even though it is setup correctly?

cdgill
Explorer

Here is my search query:

index=jenkins* job_name="jenkins-representative-jobs_github_organization/math_utilities/master" event_tag=job_event (type=started OR type=completed)  | dedup build_number | eval build_duration = job_duration - queue_time - 'test_summary.duration' | chart count by build_duration | fields build_number job_duration queue_time test_summary.duration

And here is a link to the chart to get an idea of what I'm seeing. https://imgur.com/a/2HcyE
Basically, the chart template is being created perfectly, but no data is filling it. Any help?

Tags (2)
0 Karma

493669
Super Champion

Hi @cdgill,
It's due to permission issue in your automatic lookup- pan_vendor_info_lookup
Change its permission to global :
In UI go to Settings>>Lookup>>Automatic lookups>> change sharing permission of pan_vendor_info_lookup so that it will be available in your query.
Hope this helps!

0 Karma

493669
Super Champion

@cdgill,
have you tried this?

0 Karma

cdgill
Explorer

Yes, that changed nothing though sadly.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

After your chart command, only field available are build_duration and count. You field command is trying to output fields that doesn't exist hence no chart data is shown. Get rid of last fields command to see some data there (plotting count of events for each value of build_duration.

cdgill
Explorer

That does show me some data, but I'm trying to have it show me a breakdown the queue, build, and test times. How can I get those values to show up?

0 Karma

cdgill
Explorer

I want time to be on the Y-Axis and the individual build number to be on the X-Axis.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

How about this?

index=jenkins* job_name="jenkins-representative-jobs_github_organization/math_utilities/master" event_tag=job_event (type=started OR type=completed)  | dedup build_number | eval build_duration = job_duration - queue_time - 'test_summary.duration' | table build_number build_duration
0 Karma

cdgill
Explorer

That pretty much works perfectly thank you! Now my only remaining issue seems to be with test_summary.duration. If I end with this table build_number build_duration queue_time 'test_summary.duration'
everything shows up fine except there are no values in the chart or table for test_summary. However if I remove the single quotes around it all those values will appear, but build_duration will disappear. I assume it has something to do with it being a string for some reason, but I don't know the workaround.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...