All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

search executes before loading icon from lookup

nathanluke86
Communicator
‎11-06-2019 04:32 AM

Hi @chrisyoungerjds ,

When running a dashboard search for Flow Map Viz the not all icons in the lookup seem load fast enough and some icons revert to the default square.

Is there a way to ensure all icons load successfully or is this a limitation of the app

Kind regards

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎11-11-2019 02:01 AM

Hi @nathanluke86
Apologies for the delay in responding, I have been on holidays. Your query looks fine, and there is no problem with using tokens/dropdowns. The only thought I have is that the icons failing to load might happen becuase Splunk takes a bit of extra time to do the subsearch (the append). Lucky there may be a simple fix for this, try replacing teh last line with this instead:

|inputlookup append=t path.csv

so your whole query would look like this

index = iis dest_host=$dest$ src_host_name=$src$ status=*
| chart useother=false usenull=false count over src_host_name by status
| streamstats count as tmp
| untable tmp status count
| stats sum(eval(if(like(status,"2%"),count,0))) as good,
,sum(eval(if(like(status,"4%"),count,0))) as error, ,sum(eval(if(like(status,"3%"),count,0))) as warn
,values(eval(if(status=="src_host_name",count,NULL))) as src_host_name by tmp
| eval from=src_host_name , to="dest_host"
| fields from to error warn good
|inputlookup append=t path.csv

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎11-11-2019 02:01 AM

Hi @nathanluke86
Apologies for the delay in responding, I have been on holidays. Your query looks fine, and there is no problem with using tokens/dropdowns. The only thought I have is that the icons failing to load might happen becuase Splunk takes a bit of extra time to do the subsearch (the append). Lucky there may be a simple fix for this, try replacing teh last line with this instead:

|inputlookup append=t path.csv

so your whole query would look like this

index = iis dest_host=$dest$ src_host_name=$src$ status=*
| chart useother=false usenull=false count over src_host_name by status
| streamstats count as tmp
| untable tmp status count
| stats sum(eval(if(like(status,"2%"),count,0))) as good,
,sum(eval(if(like(status,"4%"),count,0))) as error, ,sum(eval(if(like(status,"3%"),count,0))) as warn
,values(eval(if(status=="src_host_name",count,NULL))) as src_host_name by tmp
| eval from=src_host_name , to="dest_host"
| fields from to error warn good
|inputlookup append=t path.csv
0 Karma
Reply
Solved! Jump to solution

nathanluke86
Communicator
‎11-12-2019 02:12 AM

Thanks @chrisyoungerjds,

This seems to have resolved this issue.

Thanks for being so supportive.

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎11-12-2019 02:22 AM

good stuff. glad its sorted

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎11-06-2019 11:43 AM

No this should not occur but I do believe you becuase a while back I had a similar problem. I think what might be happening is that you might have multiple "node" rows, or late arriving "node" rows in your data. Its a big hard to explain but if you are able to share your search query I can help further

0 Karma
Reply
Solved! Jump to solution

nathanluke86
Communicator
‎11-07-2019 07:29 AM

Thanks @chrisyoungerjds

index = iis dest_host=$dest$ src_host_name=$src$ status=*
| chart useother=false usenull=false count over src_host_name by status
| streamstats count as tmp
| untable tmp status count
| stats sum(eval(if(like(status,"2%"),count,0))) as good,
,sum(eval(if(like(status,"4%"),count,0))) as error, ,sum(eval(if(like(status,"3%"),count,0))) as warn
,values(eval(if(status=="src_host_name",count,NULL))) as src_host_name by tmp
| eval from=src_host_name , to="dest_host"
| fields from to error warn good
|append [| inputlookup path.csv]

Could this be caused by the drop down menus I am using for src and dest host.

I'm loving this app by the way.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...