- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Why can I not get a chart to appear using a ba...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why can I not get a chart to appear using a base search on my dashboard?
I am attempting to use a base search on my dashboard, but I cannot get the chart to appear. Here is what the XML of the dashboard looks like:
<dashboard>
<search id="Prod1ValidateClaimLast30Min">
<query> index=ssi_app_index TATL message.facets.url=*ValidateClaim* message.facets.url=https://me.myself.com*</query>
<earliest>rt-30m</earliest>
<latest>rt</latest>
</search>
<label>SAP Test</label>
<row>
<panel>
<chart>
<title>Product Median ValidateClaim Last 30 Min, sec</title>
<search base="Prod1ValidateClaimLast30Min">
<query>stats median(message.facets.duration) as ValidationAvg | eval ValidationAvg=round(ValidationAvg/1000,2)</query>
</search>
</chart>
</panel>
</row>
</dashboard>
If I click on the "Open in Search" button from the dashboard then data shows up and the search is concatenated correctly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi SAPrabhakar,
I don't know why Splunk has this behavior that I found many times, maybe it's a Splunk bug and I opened a case to Support some months ago.
Every way, you can use a workaround (or better a "porkaround"!) inserting in your base search an eval command with fields you have to use in the panel's search, in your example:
index=ssi_app_index TATL message.facets.url=*ValidateClaim* message.facets.url=https://me.myself.com* | eval message.facets.duration=message.facets.duration
If you have more fields you have to add each one in the same way.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Your xml code syntax is correct just verify if your search code works well.
Verify if the following search code works :
index=ssi_app_index TATL message.facets.url="*ValidateClaim*" message.facets.url="https://me.myself.com*"|stats median(message.facets.duration) as ValidationAvg | eval ValidationAvg=round(ValidationAvg/1000,2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try adding all the field values in double quotes and also add the field to be used later in second query.
index="ssi_app_index" TATL message.facets.url="ValidateClaim" message.facets.url="https://me.myself.com*"| *table message.facets.duration | fields **
Having said that your query should have worked as well, so try joining base and second stats query together and see if you are getting any results back or not.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are a couple of things I think you should consider with what you are doing here.
- I am not sure you that you can use a real-time search as a base search. I don't see anything in the documentation, but I would be highly skeptical of that approach given the other limitations of base searches.
- You should look at all the things to avoid listed here: http://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/Savedsearches#Post-process_searches. Big one is you should not return raw events in the base search.
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
Detecting Remote Code Executions With the Splunk Threat Research Team
