Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Dashboard chart always show non-verbose figures

30cents
New Member
‎04-08-2020 06:15 PM

Hi,

I am trying to show the difference in percentage between two values in my log: Tx_Mbps and Input_Rate_Mbps and display the percentage as a Single Value. When I used the query below in the "Search & Reporting" I noticed that there is a difference between verbose (I get 44%) and fast(i get 68%) mode.

Then when i applied this query in my dashboard, i always get 68%. So i assume it is not in verbose mode. Is there any way to force my dashboard to search in verbose mode?

These are the things i tried:

  1. Used eventstats instead and added "|fields *|". I tried this in all positions throughout the query. I still get non-verbose results
  2. Saw a suggested solution to add this in my dashboard simpleXML: "param name="searchModeLevel"verbose". Able to advise where should i add this in? I tried adding this in the tag within my panel. Still get non-verbose results

This is my query in the dashboard:

sourcetype=csv index=*portstats* OR index=*q_health* |  eval Tx_Mbps=max(Tx_Mbps,0) | eval Input_Rate_Mbps=max(Input_Rate_Mbps,0) | stats avg(Tx_Mbps) as h avg(Input_Rate_Mbps) as q | eval diff = ((h-q)/q)*100 | table diff

Thanks in advance!

Tags (2)
0 Karma
Reply

30cents
New Member
‎04-12-2020 05:59 PM

Hi all,

Many thanks for your advises.

After the replies, i managed to identify the issue with my query by looking at my data in greater detail. I realised that the two indexes (index=portstats OR index=q_health), does not have the same _time. Hence i cannot apply this query in this scenario. I changed it to timechart instead of using stats and added up a 10 mins range of each of the two values before comparing the difference.

0 Karma
Reply

DalJeanis
Legend
‎04-10-2020 04:20 PM

If there is a difference between fast mode and verbose mode, it means something is not being extracted in fast mode.

To solve this, you explicitly call out the all fields you need in the first command after the first pipe. Compare this in verbose mode, then fast mode. 

sourcetype=csv (index=*portstats* OR index=*q_health*) (Tx_Mbps=* OR Input_Rate_Mbps=*) 
| fields Tx_Mbps Input_Rate_Mbps
| eval Tx_Mbps=max(Tx_Mbps,0) 
| eval Input_Rate_Mbps=max(Input_Rate_Mbps,0) 
| stats avg(Tx_Mbps) as h avg(Input_Rate_Mbps) as q 
| eval diff = ((h-q)/q)*100 
| table diff
0 Karma
Reply

to4kawa
Ultra Champion
‎04-09-2020 01:21 AM

will you provide sample logs?
Usually, the number is not different by the difference of the search mode.
However, I will notice that your search initially uses max in eval.

0 Karma
Reply
Get Updates on the Splunk Community!

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...