Solved: search executes before loading icon from lookup

nathanluke86 · ‎11-06-2019

Hi @chrisyoungerjds ,

When running a dashboard search for Flow Map Viz the not all icons in the lookup seem load fast enough and some icons revert to the default square.

Is there a way to ensure all icons load successfully or is this a limitation of the app

Kind regards

chrisyounger · ‎11-11-2019

Hi @nathanluke86
Apologies for the delay in responding, I have been on holidays. Your query looks fine, and there is no problem with using tokens/dropdowns. The only thought I have is that the icons failing to load might happen becuase Splunk takes a bit of extra time to do the subsearch (the append). Lucky there may be a simple fix for this, try replacing teh last line with this instead:

|inputlookup append=t path.csv

so your whole query would look like this

index = iis dest_host=$dest$ src_host_name=$src$ status=*
| chart useother=false usenull=false count over src_host_name by status
| streamstats count as tmp
| untable tmp status count
| stats sum(eval(if(like(status,"2%"),count,0))) as good,
,sum(eval(if(like(status,"4%"),count,0))) as error, ,sum(eval(if(like(status,"3%"),count,0))) as warn
,values(eval(if(status=="src_host_name",count,NULL))) as src_host_name by tmp
| eval from=src_host_name , to="dest_host"
| fields from to error warn good
|inputlookup append=t path.csv

View solution in original post

chrisyounger · ‎11-11-2019

Hi @nathanluke86
Apologies for the delay in responding, I have been on holidays. Your query looks fine, and there is no problem with using tokens/dropdowns. The only thought I have is that the icons failing to load might happen becuase Splunk takes a bit of extra time to do the subsearch (the append). Lucky there may be a simple fix for this, try replacing teh last line with this instead:

|inputlookup append=t path.csv

so your whole query would look like this

index = iis dest_host=$dest$ src_host_name=$src$ status=*
| chart useother=false usenull=false count over src_host_name by status
| streamstats count as tmp
| untable tmp status count
| stats sum(eval(if(like(status,"2%"),count,0))) as good,
,sum(eval(if(like(status,"4%"),count,0))) as error, ,sum(eval(if(like(status,"3%"),count,0))) as warn
,values(eval(if(status=="src_host_name",count,NULL))) as src_host_name by tmp
| eval from=src_host_name , to="dest_host"
| fields from to error warn good
|inputlookup append=t path.csv

nathanluke86 · ‎11-12-2019

Thanks @chrisyoungerjds,

This seems to have resolved this issue.

Thanks for being so supportive.

chrisyounger · ‎11-12-2019

good stuff. glad its sorted

chrisyounger · ‎11-06-2019

No this should not occur but I do believe you becuase a while back I had a similar problem. I think what might be happening is that you might have multiple "node" rows, or late arriving "node" rows in your data. Its a big hard to explain but if you are able to share your search query I can help further

nathanluke86 · ‎11-07-2019

Thanks @chrisyoungerjds

index = iis dest_host=$dest$ src_host_name=$src$ status=*
| chart useother=false usenull=false count over src_host_name by status
| streamstats count as tmp
| untable tmp status count
| stats sum(eval(if(like(status,"2%"),count,0))) as good,
,sum(eval(if(like(status,"4%"),count,0))) as error, ,sum(eval(if(like(status,"3%"),count,0))) as warn
,values(eval(if(status=="src_host_name",count,NULL))) as src_host_name by tmp
| eval from=src_host_name , to="dest_host"
| fields from to error warn good
|append [| inputlookup path.csv]

Could this be caused by the drop down menus I am using for src and dest host.

I'm loving this app by the way.

search executes before loading icon from lookup

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability