All Apps and Add-ons

Data is getting indexed and is visible in events but it does not appear in the dashboard created by me.

Explorer

Hi,

I created a dashboard which displays the router information.

All of the data so far indexed is visible through visualization tab. For four of the router's, it is not showing under visualization tab.

This query displays the data in visualization tab:

index="itscebu" sourcetype="ncrcebucsv" host=* sitename="New-York" tier=tier1 router=rdusnyork010-35-1.corp.Gi0-0-2.2379 | eval datewday=strftime(time,"%u") |eval starte=strptime(starthour,"%H:%M")|eval starth=strftime(starte,"%H:%M")|eval ende=strptime(endhour,"%H:%M")|eval endh=strftime(ende,"%H:%M")|where timecustom>=starth AND timecustom=startwday AND datewday<=endwday | eval Intraffic=In/1048576 | timechart span=1h MAX(Intraffic) AS MAXIntraffic ,values("receive_bandwidth") as MAXIN-Bandwidth

whereas this query does not:

index="itscebu" sourcetype="ncrcebucsv" host=* sitename="New-York" tier=tier1 router=fusxpowtc1.eth-s4p1 | eval datewday=strftime(time,"%u") |eval starte=strptime(starthour,"%H:%M")|eval starth=strftime(starte,"%H:%M")|eval ende=strptime(endhour,"%H:%M")|eval endh=strftime(ende,"%H:%M")|where timecustom>=starth AND timecustom=startwday AND datewday<=endwday | eval Intraffic=In/1048576 | timechart span=1h MAX(Intraffic) AS MAXIntraffic ,values("receive_bandwidth") as MAXIN-Bandwidth

Please help!

Regards,
Sushma.

Tags (1)
0 Karma

SplunkTrust
SplunkTrust

The only difference I see there is the router.

Try this and see if you get any events. If not, then (a) your router is misspelled or is not creating data or possibly (b) your router is in a different tier or the sourcetype is different, or something. Then go find your data.

index="itscebu" sourcetype="ncr_cebu_csv" host=* 
sitename="New-York" tier=tier1 router=fusxpowtc1.eth-s4p1 | head 5

If it DOES return some data, then try this -

index="itscebu" sourcetype="ncr_cebu_csv" host=* 
sitename="New-York" tier=tier1 router=rdusnyork010-35-1.corp.Gi0-0-2.2379 | head 5 
| append [ index="itscebu" sourcetype="ncr_cebu_csv" host=* 
sitename="New-York" tier=tier1 OR router=fusxpowtc1.eth-s4p1 | head 5]
| fillnull value=NULL start_hour end_hour time_custom start_wday end_wday
| table  host _time start_hour end_hour time_custom start_wday end_wday
| sort host _time

If any field comes up in that table with the word "NULL" for the s4p1 router data,
and NOT for the other one, you have your culprit field. Somehow that field is
getting populated for one router and not the other.

0 Karma

Explorer

Hi,

For the first query, I did not get any output. It displayed as "No results found".

For the second query, it displayed as Unknown search command index.

fusxpowtc1 gets indexed and events are visible, but it is not displaying in the dashboard. Where can I check

to see the logs for dashbaord. Hope I could see some error or warning over there, based on which we can

rectify.

Regards,
Sushma.

0 Karma

Explorer

Hi,

I was able to figure out the issue. It was because while indexing the folder, I have mentioned a regular expression for host field as (?\w+-\d+-\d.+). and a spearate index for it.This does not match with the router name fusxpowtc1.eth-s4p1.csv where as it macthes with the other routers. Hence I guess , this is the reason for it not displaying the data in dashboard .

Hence as a next step I created a separate folder with 4 values in it (two with the fusx names and two with the rdaedu.. names)changed the expression to (?\w+) and tried to index into same location.
But search results show nothing. Do you think problem is with my regular expression or problem with indexing of new data?

Please help!

Regards,
Sushma.

0 Karma