Dashboards & Visualizations

Dashboard shows no Results but Search works . .

tyronetv
Communicator

I have a search that works against a key value pair in Connect Direct logs. Initially I had the report set up to do post-process re-naming of the SNOD value to the human readable name. Yesterday I added a lookup table and ran the search multiple times with the expected results, i.e., the lookup worked.

I replaced the search in the Dashboard panel with the new search and was told "zero results." I ran the inspector and it stated:

This search has completed and found 2,764 matching events. However, the transforming commands in the highlighted portion of the following search:

search sourcetype=connectdirect host = napa-v120 ( RECI=CTRC ) | transaction keepevicted=true PNUM RECI STAR STOP | eval VOLUME=(SBYX/1048576) | search VOLUME>0 | timechart span=30m sum(VOLUME) by Account useother=f usenull=f | rename NAPA_CD_V120 as "Inbound"

(bold to show what was highlighted).

If I just run the search, everything works. I can change date/time ranges, etc., with no problems. Why is the display as a dashboard not working?

I have removed the "rename ..." to no effect.

If I go back to "timechart span=30m sum(VOLUME) by SNOD ..." and then do post process renames it works though.

Tags (3)
0 Karma
1 Solution

tyronetv
Communicator

Okay. I'm a klutz.

The lookup file and lookup definition were set properly but when I added the automatic lookup definition I missed resetting the permissions to all.

My bad.

View solution in original post

0 Karma

tyronetv
Communicator

Okay. I'm a klutz.

The lookup file and lookup definition were set properly but when I added the automatic lookup definition I missed resetting the permissions to all.

My bad.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...