Re: Clustermaps not loading properly using a base ...

HaxUez · ‎03-30-2021

In a dashboard, a single panel using a lookup and geostats works fine. When I take that search and split it up to use a base search with multiple panels it semi-breaks. The Cluster map will start loading but the pie charts appear then disappear. The other panels on the dashboard are pie charts and they all load appropriately. Once the search completes however, if you click refresh the cluster map results will display properly. Is this a problem with my source, the SPL, or something else (bug)? Source below is just the Panel for the Cluster map I am having problems with.

<form>
<label>Firewall Clustermap</label>
<description>Inbound Traffic</description>
<search id="Global_Traffic">
<query>index=xyz_firewall sourcetype=xyz_log policy_name="XYZ" direction=inbound |fields Country,src_ip,vendor_action,dest_ip,dest_port, src_port
|iplocation src_ip |search Country=* [|inputlookup XYZ_Country_Block_List]
</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<fieldset submitButton="true">
<input type="time" token="field1">
<label>Choose Time then Click Submit</label>
<default>
<earliest>-1m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>GLOBAL DROPS</title>
<map>
<title>ACTION: Drop</title>
<search base="Global_Traffic">
<query>|Search vendor_action IN (Drop, Deny, Block, Reject) |geostats count by Country globallimit=0</query>
</search>
<option name="mapping.type">marker</option>
<option name="refresh.display">progressbar</option>
</map>
</panel>

victorsalazar · ‎11-06-2023

Hello All

I had exactly the same Issue and this only happens when u use the base search directly to get the cluster map populated. I solved the issue and maybe is a silly way to do it but it was the only way to make it workg for me.

In your cluster map edit search --> search string text box do something like this

mainQuery: it is your base search, in my case is a Macro used in differnt dashboads
################### Code ###############################

| fields 1 ``` there is no fields called 1 - the idea is to get an empty result from the base search ```
``` The idea about the code below is to use the query mainQuery and get the fields to pass them to geostats ```

| append
[ search `mainQuery`
| fields lat lon country sales
]
| geostats latfield=lat longfield=lon count(sales) by country globallimit=0 locallimit=0

################### end of Code ###############################

HaxUez · ‎03-30-2021

Before refresh and After refresh screenshots of Cluster maps

After Refresh After Refresh Before Refresh Before Refresh

bowesmana · ‎03-30-2021

This will be no help to you unfortunately, but I have seen similar behaviour I believe on a Splunk 7.X environment, but never found the cause. What version are you on?

HaxUez · ‎03-31-2021

Version 8.1.2

Clustermaps not loading properly using a base search

form

panel

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Are you a member of the Splunk Community?