Dashboard returning incomplete results

beaunewcomb · ‎07-25-2012

I have a multi-chart dashboard using to generate graphs. Splunk only returns 10-13k events so the data is incomplete. This happens regardless of what I set the timeframe to. If I run the same queries on the search line, or just do a regular dashboard without form, all events come back.

    <?xml version='1.0' encoding='utf-8'?>
<form>
 <label>Event Volume Stats</label>
 <searchTemplate>`dp` environment=$environment$ <!--object=*--></searchTemplate>  
 <fieldset>
  <input type="dropdown" token="environment">
   <label>Environment</label>
      <choice value="*">All</choice>
      <populatingSearch fieldForValue="environment" fieldForLabel="environment">
           <![CDATA[earliest=-15min latest=now `dp` 
            | stats count by environment]]>
      </populatingSearch>
   </input>

<!--   <input type="dropdown" token="object">
     <label>Object</label>
     <choice value="*">All</choice>
     <populatingSearch fieldForValue="object" fieldForLabel="object">
        <![CDATA[earliest=-1h latest=now `dp` 
         | stats count by environment]]>
     </populatingSearch>
   </input>
-->

   <input type="time" />

  </fieldset>

   <row>
    <chart>
      <searchPostProcess>timechart count(environment) AS events BY environment usenull=f</searchPostProcess>
      <title>Volume</title>
      <option name="charting.axisTitleX.text">Time</option>
      <option name="charting.axisTitleY.text">Object Count</option>
      <option name="charting.chart">line</option>
      <option name="charting.chart.nullValueMode">zero</option>
      <option name="charting.primaryAxisTitle.text"/>
      <option name="charting.secondaryAxisTitle.text"/>
    </chart>
  </row>

  <!-- 
  <row>
    <chart>
      <searchPostProcess>timechart count(object) AS events BY object usenull=f</searchPostProcess>
      <title>Volume</title>
      <option name="charting.axisTitleX.text">Time</option>
      <option name="charting.axisTitleY.text">Object Count</option>
      <option name="charting.chart">line</option>
      <option name="charting.chart.nullValueMode">zero</option>
      <option name="charting.primaryAxisTitle.text"/>
      <option name="charting.secondaryAxisTitle.text"/>
    </chart>
  </row>

    <row>
    <table>
      <searchPostProcess>chart count(object) AS events BY object | sort -events</searchPostProcess>
      <title>Object Count</title>
      <option name="dataOverlayMode">heatmap</option>
      <option name="displayRowNumbers">false</option>
      <option name="drilldown">none</option>
    </table>
    <chart>
      <searchPostProcess>chart limit=0 count(object) AS events BY object | sort -events</searchPostProcess>
      <title>Object Count Distribution</title>
      <option name="charting.chart">pie</option>
      <option name="drilldown">none</option>
    </chart>
  </row>
        -->
</form>

fernandoandre · ‎02-19-2013

Hi

I think this can solve you problem:

Please give feedback if it worked.

Dashboard returning incomplete results

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?