Hi,
I wonder if someone can help me on something. I created a report which runs absolutely fine no matter when I run it. I added the report to a dashboard panel, but now some values are missing.
This is the search string:
index=risk sourcetype=feed_info
| eval sys1_arrival_time=if(sys1_arrival_time=="NULL", "",sys1_arrival_time )
| eval sys2_end_time=if(sys2_end_time=="NULL", "",sys2_end_time )
| eval timenow=now() | eval nowstring=strftime(now(), "%Y-%m-%d")
| eval sys1_exp_time_string=nowstring+" "+tostring(system1_expected_time)
| eval sys1_exp_time_epoch=strptime(sys1_exp_time_string, "%Y-%m-%d %H:%M:%S") | eval sys1_arrival_time_epoch=strptime(sys1_arrival_time, "%Y-%m-%d %H:%M:%S")
| eval sys1_status=case(timenow>sys1_exp_time_epoch AND isnull(sys1_arrival_time_epoch), "Late", timenowsys1_exp_time_epoch, "OK (Arrived Late)", sys1_arrival_time_epoch<=sys1_exp_time_epoch, "OK") | eval sys2_exp_time_string=nowstring+" "+tostring(system2_expected_time)
| eval sys2_exp_time_epoch=strptime(sys2_exp_time_string, "%Y-%m-%d %H:%M:%S") | eval sys2_end_time_epoch=strptime(sys2_end_time, "%Y-%m-%d %H:%M:%S")
| eval sys2_status=case(timenow>sys2_exp_time_epoch AND isnull(sys2_end_time_epoch), "Late", timenowsys2_exp_time_epoch, "OK (Finished Late)", sys2_end_time_epoch<=sys2_exp_time_epoch, "OK")
| table value_date,feedname, sys1_exp_time_string,sys1_arrival_time, sys1_status, sys2_exp_time_string,sys2_end_time, sys2_status
| rename sys1_exp_time_string AS sys1_expected_time, sys2_exp_time_string as "sys2_expected_time"
| dedup 1 feedname
The different values are the sys1_status and sys2_status. Curiously these two are calculated fields, based on time. I also noticed that the issue happens after 6pm - during the day it works fine.
Faulty Panel: http://s000.tinyupload.com/?file_id=06140936697604993623
Working Report: http://s000.tinyupload.com/?file_id=76794376457864993058
Both screenshots were taken at the same time.
Thanks!
It's probably truncating your results in the dashboard. If you adjust your time span more in your timetable or what have you... it will look even on the display.
I'm sure there's a way to modify slunk truncation rules. Or at least a better work arounds
Yes, it is truncating results, probably because it's running a fast (instead of a verbose) search. Just don't know how to force a verbose search on dashboard panels...
Hmmmm... I also noticed that the number of events are less in the dashboard and that the search runs in fast mode. Is there a way to force verbose mode?