Knowledge Management

Dashboard Statistics Table Not Showing

daniel_augustyn
Contributor

I am building a dashboard and I've been having an issue with presenting Statistics Tables on the dashboard while logged in as another user. I wanted to set it up on the big screens in the SOC using another user account. After I created all dashboards, they are all showing fine, except for the Statistics Table ones. Any idea why I can't show Statistics Tables dashboard to other users via dashboards. I can see it fine on my screen, but on the big screens it shows "No results found".

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

It is likely a permissions problem somewhere. Either the other users do not have permission to access the index, or do not have access to a macro that is used in the search or something like that. Strip off consecutive pipes from the right side until the search works and then see why the other user does not have access to the thing that you just removed.

View solution in original post

woodcock
Esteemed Legend

It is likely a permissions problem somewhere. Either the other users do not have permission to access the index, or do not have access to a macro that is used in the search or something like that. Strip off consecutive pipes from the right side until the search works and then see why the other user does not have access to the thing that you just removed.

daniel_augustyn
Contributor

I put both users in the same roles: power, admin, and user and this didn't help. Where else should I be looking at the permissions?

0 Karma

daniel_augustyn
Contributor

This query works just fine: index=proxy category=Malicious* | table src, action, cs_method, dest_host, category
but this one doesn't: index=proxy category=Malicious* | stats count by src, action, cs_method, dest_host, category

0 Karma

woodcock
Esteemed Legend

OK, then you should figure out what field extraction or app creates the src, action, cs_method, dest_host, and category fields. Then make sure both users have permission to those. If any field in the by clause is missing/null, then the entire command will fail (drop all events).

0 Karma

daniel_augustyn
Contributor

And this totally fixed the issue!! Thanks a lot, some of the regex didn't have global permission to be read by other users.

0 Karma

woodcock
Esteemed Legend

If this is your search:

index=proxy category=Malicious* | stats count by src, action, cs_method, dest_host, category | sort limit=10 -count

Then the problem is the limit=10 which is the wrong syntax. Try this:

index=proxy category=Malicious* | stats count by src, action, cs_method, dest_host, category | sort 10 -count
0 Karma

daniel_augustyn
Contributor

Not sure why this was a wrong syntax, when with the logged in user who created this dashboard, it was showing just fine. It's didn't fix the issue by removing 'limit='.

0 Karma

daniel_augustyn
Contributor

It's so weird, the events are showing under Events tab but Splunk can't generate dashboard from these events. It only works with the user which created this dashboard. I can share it because it doesn't show under other users.

0 Karma

woodcock
Esteemed Legend

SHOW US YOUR SEARCH (yes, it makes a difference)!

There are MANY reasons for such a thing but the one that is the most common and frustrating is when searches do not contain an explicit index= ... portion and relies instead on the user's (role's) Indexes searched by default setting. Add an explicit index=... expression and see if that works.

0 Karma

daniel_augustyn
Contributor

index=proxy category=Malicious* | stats count by src, action, cs_method, dest_host, category | sort limit=10 -count

0 Karma

daniel_augustyn
Contributor

There is something wrong with this. It doesn't work again.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Does the user using which you're running the dashboard has access to the the data (index specifically) on which the table is built?

0 Karma

daniel_augustyn
Contributor

yes, when you present the same dashboard as Lines, Bars, etc, it shows up. The Statistics Table options doesn't want to show the data. It still shows "no results found".

0 Karma

twinspop
Influencer

And also the permissions on knowledge objects, like fields, lookups, etc. If you, for example, do a stats count by private_field, you will get a no results message

0 Karma

daniel_augustyn
Contributor

The same dashboards are showing as Bars, Lines, Areas, but not Tables.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...