Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Clustermaps not loading properly using a base search

HaxUez
Explorer
‎03-30-2021 06:45 AM

In a dashboard, a single panel using a lookup and geostats works fine.  When I take that search and split it up to use a base search with multiple panels it semi-breaks.  The Cluster map will start loading but the pie charts appear then disappear.  The other panels on the dashboard are pie charts and they all load appropriately. Once the search completes however, if you click refresh the cluster map results will display properly.  Is this a problem with my source, the SPL, or something else (bug)? Source below is just the Panel for the Cluster map I am having problems with.

 

<form>
<label>Firewall Clustermap</label>
<description>Inbound Traffic</description>
<search id="Global_Traffic">
<query>index=xyz_firewall sourcetype=xyz_log policy_name="XYZ" direction=inbound |fields Country,src_ip,vendor_action,dest_ip,dest_port, src_port
|iplocation src_ip |search Country=* [|inputlookup XYZ_Country_Block_List]
</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<fieldset submitButton="true">
<input type="time" token="field1">
<label>Choose Time then Click Submit</label>
<default>
<earliest>-1m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>GLOBAL DROPS</title>
<map>
<title>ACTION: Drop</title>
<search base="Global_Traffic">
<query>|Search vendor_action IN (Drop, Deny, Block, Reject) |geostats count by Country globallimit=0</query>
</search>
<option name="mapping.type">marker</option>
<option name="refresh.display">progressbar</option>
</map>
</panel>

Labels (2)
Labels
Tags (2)
Reply

victorsalazar
Explorer
‎11-06-2023 12:10 PM

Hello All 

I had exactly the same Issue and this only happens when u use the base search directly to get the cluster map populated. I solved the issue and maybe is a silly way to do it but it was the only way to make it workg for me.

In your cluster map  edit search --> search string text box do something like this

mainQuery: it is your base search, in my case is a Macro used in differnt dashboads
###################  Code ###############################

| fields  ``` there is no fields called 1 - the idea is to get an empty result from the base search ```
```  The idea about the code below is to use the query mainQuery and get the fields to pass them to geostats ```

| append
       [  search `mainQuery`
          | fields lat lon country sales
       ]
| geostats latfield=lat longfield=lon count(sales) by country globallimit=0 locallimit=0

###################  end of Code ###############################

0 Karma
Reply

HaxUez
Explorer
‎03-30-2021 07:12 AM

Before refresh and After refresh screenshots of Cluster maps

After RefreshAfter RefreshBefore RefreshBefore Refresh

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-30-2021 02:41 PM

This will be no help to you unfortunately, but I have seen similar behaviour I believe on a Splunk 7.X environment, but never found the cause. What version are you on?

 

0 Karma
Reply

HaxUez
Explorer
‎03-31-2021 07:42 AM

Version 8.1.2

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...