Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Dashboard not showing any results

Janani_Krish
Path Finder
‎12-09-2020 09:47 PM

Hi,
I have built a dashboard after testing the query in search. The dashboard is showing "search did not return any events" even though my query is returning results when opened in search. Below is the source,

<form>
	<label>IP</label>
	<fieldset submitButton="false" autoRun="true">
		<input type="time" token="time">
			<label></label>
			<default>
				<earliest>-24h@h</earliest>
				<latest>now</latest>
			</default>
		</input>
	</fieldset>
	<row>
		<panel>
			<title>sample</title>
			<event>
				<title>sample</title>
				<search>
					<query>|inputlookup mylookup|search tag="bruteforce"|dedup indicator|table indicator|union[search sourcetype="data" action=allowed (src_ip!=10.0.0.0/8 src_ip!=172.16.0.0/12 src_ip!=192.168.0.0/16) OR (dest_ip!=10.0.0.0/8 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16)|eval indicator=mvappend(src_ip,dest_ip)|mvexpand indicator|dedup indicator|table indicator]|stats count by indicator|where count&gt;1</query>
					<earliest>$time.earliest$</earliest>
					<latest>$time.latest$</latest>
				</search>
				<option name="list.drilldown">none</option>
				<option name="refresh.display">progressbar</option>
			</event>
		</panel>
	</row>
</form>



Please give me your suggestions.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-09-2020 11:31 PM

Hi @Janani_Krish,

as @renjith_nair said, in dashboards a search is executed in "Smart Mode" cand probably you runned your search in Verbose Mode.

Then Probably the fields you used in your search aren't selected, try to select the fields you use (src_ip and dest_ip) in the search, then run your search in Smart Mode, then it should run in the dashboard.

In addition, remember that there's the limit of 50,000 results in subsearches, so it isn't a good practice to put the search in subsearch and the inputlookup in main search, try to invert them!

Ciao.

Giuseppe

Reply

renjith_nair
Legend
‎12-09-2020 10:09 PM

Please use the code sample (<>) to add your xmls for better readability. For now, it's edited and formatted 🙂

Try including index= <your index> in the sub search. This will make sure that events are fetched even though "search by default" is not set under the roles.

Also in the search bar , try to run the search in fast mode and check if you are able to get the result. If you are not getting the result, then it could be a field extraction

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...