I built a Saved Search and configured a Dashboard to include that Saved Search (below). In a panel of this Dashboard, I configured a report based on this saved search.
When I load the Dashboard, the search is started and stops showing NO data and a message below the graphic said that the results were truncated, and No data is shown. Opening in search I get a lot of results in events....
The Saved Search:
index=acess_web |eval Gb=bytes_in/1073741824| timechart span=1d sum(Gb)
Thanks for any help
The Visualisation must show 1 month of logs, with 1 day of span. In teory, the visualisation should have only 30 points, each one is one day, and the data is the sum of Gb transfered that day.
if you run this search in the search app:
index=acessweb |eval Gb=bytesin/1073741824| timechart span=1d sum(Gb)
do you get back any results? Do you have any field named 'bytes_in'?
How many rows are you getting while running this query in search app? In ideal situation, if your selected timerange (in both search app and in your dashboard) should be set to show one month data. If nothing is specified if will run for All Times and may result more than 30 rows.
I created a new Dashboard and added the search. It worked ! So I made the new Dashboard similar to the other that doesn't work.
With my user I can see the chart, but with another user, when loading message reaches 71%, the process is aborted and the same message is shown. All other charts are processes.
Chart working: http://imageshack.com/a/img824/2297/uslk.png
Update: after the saved search ran on background (programed to run at midnight), it stopped working again, for all users.
With the user I created the dashboard, entered the Edit Panel and then, the Statistics mode. It is listing dates since January. There are more than 500 pages of data.
But it should not happen, since I configured to count the events from only 1 month ago ( -1mon, now).
Tried to put earliest=-mon on search string but didn't work (same results).
The strange is that, when I try the search mannually, on the result table for 1 second apears a bunh of rows with all dates and then disapear, showing only the results (correct results) from the search.
I'm encountering the same issue using PDF report. The view (dashboard) displays all the results just fine. A manual preview generates a PDF that displays only 1000 lines when there should be many more lines. This started after our upgrade to 5.0.3 (from version 4.3.x).