Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Clustermaps not loading properly using a base search

HaxUez
Explorer
‎03-30-2021 06:45 AM

In a dashboard, a single panel using a lookup and geostats works fine.  When I take that search and split it up to use a base search with multiple panels it semi-breaks.  The Cluster map will start loading but the pie charts appear then disappear.  The other panels on the dashboard are pie charts and they all load appropriately. Once the search completes however, if you click refresh the cluster map results will display properly.  Is this a problem with my source, the SPL, or something else (bug)? Source below is just the Panel for the Cluster map I am having problems with.

 

<form>
<label>Firewall Clustermap</label>
<description>Inbound Traffic</description>
<search id="Global_Traffic">
<query>index=xyz_firewall sourcetype=xyz_log policy_name="XYZ" direction=inbound |fields Country,src_ip,vendor_action,dest_ip,dest_port, src_port
|iplocation src_ip |search Country=* [|inputlookup XYZ_Country_Block_List]
</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<fieldset submitButton="true">
<input type="time" token="field1">
<label>Choose Time then Click Submit</label>
<default>
<earliest>-1m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>GLOBAL DROPS</title>
<map>
<title>ACTION: Drop</title>
<search base="Global_Traffic">
<query>|Search vendor_action IN (Drop, Deny, Block, Reject) |geostats count by Country globallimit=0</query>
</search>
<option name="mapping.type">marker</option>
<option name="refresh.display">progressbar</option>
</map>
</panel>

Labels (2)
Labels
Tags (2)
Reply

victorsalazar
Explorer
‎11-06-2023 12:10 PM

Hello All 

I had exactly the same Issue and this only happens when u use the base search directly to get the cluster map populated. I solved the issue and maybe is a silly way to do it but it was the only way to make it workg for me.

In your cluster map  edit search --> search string text box do something like this

mainQuery: it is your base search, in my case is a Macro used in differnt dashboads
###################  Code ###############################

| fields  ``` there is no fields called 1 - the idea is to get an empty result from the base search ```
```  The idea about the code below is to use the query mainQuery and get the fields to pass them to geostats ```

| append
       [  search `mainQuery`
          | fields lat lon country sales
       ]
| geostats latfield=lat longfield=lon count(sales) by country globallimit=0 locallimit=0

###################  end of Code ###############################

0 Karma
Reply

HaxUez
Explorer
‎03-30-2021 07:12 AM

Before refresh and After refresh screenshots of Cluster maps

After RefreshAfter RefreshBefore RefreshBefore Refresh

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-30-2021 02:41 PM

This will be no help to you unfortunately, but I have seen similar behaviour I believe on a Splunk 7.X environment, but never found the cause. What version are you on?

 

0 Karma
Reply

HaxUez
Explorer
‎03-31-2021 07:42 AM

Version 8.1.2

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
Top