- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Why is my dashboard panel query only working in se...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I've observed that my dashboard panel query(that has stats) has returned no records when I have stats in it. But, when I tried to run the same query in the search page by selecting verbose mode, it returned the result.
When I remove stats, it's working in the dashboard panel, but I need to count the records using stats per the requirement. Would like to check if there is a way to set verbose mode in a saved dashboard panel query
index=db_errors | dbxlookup lookup=QERROR|eval earlyDate=strftime("1541836800", "%Y-%m-%d")| eval latestDate=strftime("1542268800", "%Y-%m-%d")| eval createdOn=strptime(CREATED_ON, "%Y-%m-%d %H:%M:%S")|eval createdOn1=strftime(createdOn, "%Y-%m-%d")|where createdOn1>=earlyDate AND createdOn1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sureshkrovi ,
If you trying stats on an extracted field, try explicitly mentioning the field list before your stats command.
index=db_errors | dbxlookup lookup=QERROR|eval earlyDate=strftime("1541836800", "%Y-%m-%d")
| eval latestDate=strftime("1542268800", "%Y-%m-%d")| eval createdOn=strptime(CREATED_ON, "%Y-%m-%d %H:%M:%S")
|eval createdOn1=strftime(createdOn, "%Y-%m-%d")|where createdOn1>=earlyDate AND createdOn1
|fields field1,field2,..fieldn |stats count by yourfieldlists
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Never mind,this is resolved.fields should be before lookup not at the end as the filter(where clause) is getting null created_date if we put fields at end that fails the query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @sureshkrovi
Try like this .
Run your query in search page.click on visualization select which one you want.
just save it as dashboard ,If you want to add in exciting dashboard or new dashboard with your own choice.
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sureshkrovi ,
If you trying stats on an extracted field, try explicitly mentioning the field list before your stats command.
index=db_errors | dbxlookup lookup=QERROR|eval earlyDate=strftime("1541836800", "%Y-%m-%d")
| eval latestDate=strftime("1542268800", "%Y-%m-%d")| eval createdOn=strptime(CREATED_ON, "%Y-%m-%d %H:%M:%S")
|eval createdOn1=strftime(createdOn, "%Y-%m-%d")|where createdOn1>=earlyDate AND createdOn1
|fields field1,field2,..fieldn |stats count by yourfieldlists
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One more observation is in search mode I see message "No data found yet" while query is running ,but in dashboard execution I didn't see this message.
Is anything we can suspect query execution time?e.g dasbhboard execution stops when query takes long time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what yourfieldlists refer here.Is it single field or do I need to mention all the fields.I tried this option but didn't work out.Note that ERROR_CATEGORY_NAME is the lookup output field
|eval createdOn1=strftime(createdOn, "%Y-%m-%d")|where createdOn1>=earlyDate AND createdOn1
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
