Hi Niketnilay,
For the below query, which you helped me out:
source="jnpr-syslog" policy_name=Internet_Lab_Policy_Gateway_Logging source
| bin _time span=1d
| stats count as New_Connections by source_address _time
| eventstats sum(New_Connections) as Total by _time
| eval "%New_Connections"=round((New_Connections/Total)*100,2)
| fields - Total
| sort - _time New_Connections | streamstats count as sno by _time
| search sno<=20
| fields - sno
| eval _time=strftime(_time,"%Y/%m/%d")
| rename _time as Time
| stats last(New_Connections) as New_Connections last("%New_Connections") as "%New_Connections" by source_address
| sort - New_Connections
This query don't return an output when ran in fast mode. When in verbose mode it gives the output. Using this query a dashboard has been created and by default it runs in fast mode. The dashboard also has time as input. As a result, when I select a real time data i.e. 1 minute window, the query does not produce any output as it is in fast mode, when i change it to verbose mode manually it gives the output. How to make the dashboard run permanently with the verbose mode or else how to change the query so that it gives output even when ran in the fast mode.
Let me know if you need any more information.
Regards,
Sushma.
... View more