Dashboards & Visualizations

Dashboard shows no Results but Search works . .

tyronetv
Communicator

I have a search that works against a key value pair in Connect Direct logs. Initially I had the report set up to do post-process re-naming of the SNOD value to the human readable name. Yesterday I added a lookup table and ran the search multiple times with the expected results, i.e., the lookup worked.

I replaced the search in the Dashboard panel with the new search and was told "zero results." I ran the inspector and it stated:

This search has completed and found 2,764 matching events. However, the transforming commands in the highlighted portion of the following search:

search sourcetype=connectdirect host = napa-v120 ( RECI=CTRC ) | transaction keepevicted=true PNUM RECI STAR STOP | eval VOLUME=(SBYX/1048576) | search VOLUME>0 | timechart span=30m sum(VOLUME) by Account useother=f usenull=f | rename NAPA_CD_V120 as "Inbound"

(bold to show what was highlighted).

If I just run the search, everything works. I can change date/time ranges, etc., with no problems. Why is the display as a dashboard not working?

I have removed the "rename ..." to no effect.

If I go back to "timechart span=30m sum(VOLUME) by SNOD ..." and then do post process renames it works though.

Tags (3)
0 Karma
1 Solution

tyronetv
Communicator

Okay. I'm a klutz.

The lookup file and lookup definition were set properly but when I added the automatic lookup definition I missed resetting the permissions to all.

My bad.

View solution in original post

0 Karma

tyronetv
Communicator

Okay. I'm a klutz.

The lookup file and lookup definition were set properly but when I added the automatic lookup definition I missed resetting the permissions to all.

My bad.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...