Archive

Why do my results appear and then disappear on a map?

Communicator

Dear All,

I have a geostats search that is providing a mapped view of events over a single area. It is like this:

index="event_index" Lost=true AND NOT value = true | geostats latfield=latitude longfield=longitude binspanlong=1 binspanlat=1 count by loss

At first, the map shows up the results, but after about 5 minutes, if I come back to the map, the results disappear.

Is this because the results in the search job are removed after a certain amount of time or is it being there has been a timeout or what?

The number of events is about 700000, by the way.

Kind regards,

BlueSocket

1 Solution

Communicator

The answer to this was the MaxClusters value was set to 100 and not a value that was valid, which, for the visualisation selected was over 100,000.

I got this answer from Support and I hope that this helps someone else as well.

View solution in original post

0 Karma

Communicator

The answer to this was the MaxClusters value was set to 100 and not a value that was valid, which, for the visualisation selected was over 100,000.

I got this answer from Support and I hope that this helps someone else as well.

View solution in original post

0 Karma

awesome 🙂 many thanks for reporting this back - saves my day 😉

0 Karma

Communicator

Just made another observation. this query WORKS and the map stays showing the data:

index="event_index" Lost=true AND NOT value = true | geostats latfield=latitude longfield=longitude binspanlong=1 binspanlat=1 count

But this one does NOT work:

index="event_index" Lost=true AND NOT value = true | geostats latfield=latitude longfield=longitude binspanlong=1 binspanlat=1 count by loss

The difference is that the second one includes a "by loss" clause.

Why does this break the report?

Splunk Support are silent on this, too.

0 Karma

Communicator

Hmmm, I thought that it might be that the job was expiring, but I just watched it constantly and noticed that the data stays on the screen while the dark blue line at the top of the window is progressing from one side to the other, but then disappears when it gets to the end.

What is going on?

0 Karma

Communicator

When splunk parses events based on the searches It progress It disappears once the search complete...

0 Karma

Communicator

Yes. That is what I am seeing. I don't think that this is normal and expected, is it?

0 Karma

Esteemed Legend

Yes, Splunk is designed to show partial results all along the way and adjust as it gets further along. Usually this is correctly progressive but sometimes it does backtrack depending on things later in the pipeline of the search.

0 Karma

Communicator

...but why do ALL of the results disappear from the map?

Since trying to debug this, however, I now have a little more information.

I created another map and that has fewer rows in the geostats results. Interestingly, the results on this map do NOT disappear.

Hmmm.

0 Karma

Communicator

I had some similar results once. Is possible that you have NULL data on your fields?

0 Karma