Dashboards & Visualizations

Clustermaps not loading properly using a base search

HaxUez
Explorer

In a dashboard, a single panel using a lookup and geostats works fine.  When I take that search and split it up to use a base search with multiple panels it semi-breaks.  The Cluster map will start loading but the pie charts appear then disappear.  The other panels on the dashboard are pie charts and they all load appropriately. Once the search completes however, if you click refresh the cluster map results will display properly.  Is this a problem with my source, the SPL, or something else (bug)? Source below is just the Panel for the Cluster map I am having problems with.

 

<form>
<label>Firewall Clustermap</label>
<description>Inbound Traffic</description>
<search id="Global_Traffic">
<query>index=xyz_firewall sourcetype=xyz_log policy_name="XYZ" direction=inbound |fields Country,src_ip,vendor_action,dest_ip,dest_port, src_port
|iplocation src_ip |search Country=* [|inputlookup XYZ_Country_Block_List]
</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<fieldset submitButton="true">
<input type="time" token="field1">
<label>Choose Time then Click Submit</label>
<default>
<earliest>-1m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>GLOBAL DROPS</title>
<map>
<title>ACTION: Drop</title>
<search base="Global_Traffic">
<query>|Search vendor_action IN (Drop, Deny, Block, Reject) |geostats count by Country globallimit=0</query>
</search>
<option name="mapping.type">marker</option>
<option name="refresh.display">progressbar</option>
</map>
</panel>

Labels (2)
Tags (2)

victorsalazar
Explorer

Hello All 

I had exactly the same Issue and this only happens when u use the base search directly to get the cluster map populated. I solved the issue and maybe is a silly way to do it but it was the only way to make it workg for me.

In your cluster map  edit search --> search string text box do something like this

mainQuery: it is your base search, in my case is a Macro used in differnt dashboads
###################  Code ###############################

| fields  ``` there is no fields called 1 - the idea is to get an empty result from the base search ```
```  The idea about the code below is to use the query mainQuery and get the fields to pass them to geostats ```

| append
       [  search `mainQuery`
          | fields lat lon country sales
       ]
| geostats latfield=lat longfield=lon count(sales) by country globallimit=0 locallimit=0

###################  end of Code ###############################

0 Karma

HaxUez
Explorer

Before refresh and After refresh screenshots of Cluster maps

After RefreshAfter RefreshBefore RefreshBefore Refresh

0 Karma

bowesmana
SplunkTrust
SplunkTrust

This will be no help to you unfortunately, but I have seen similar behaviour I believe on a Splunk 7.X environment, but never found the cause. What version are you on?

 

0 Karma

HaxUez
Explorer

Version 8.1.2

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...