Dashboards & Visualizations

Dashboard shows no Results but Search works . .

tyronetv
Communicator

I have a search that works against a key value pair in Connect Direct logs. Initially I had the report set up to do post-process re-naming of the SNOD value to the human readable name. Yesterday I added a lookup table and ran the search multiple times with the expected results, i.e., the lookup worked.

I replaced the search in the Dashboard panel with the new search and was told "zero results." I ran the inspector and it stated:

This search has completed and found 2,764 matching events. However, the transforming commands in the highlighted portion of the following search:

search sourcetype=connectdirect host = napa-v120 ( RECI=CTRC ) | transaction keepevicted=true PNUM RECI STAR STOP | eval VOLUME=(SBYX/1048576) | search VOLUME>0 | timechart span=30m sum(VOLUME) by Account useother=f usenull=f | rename NAPA_CD_V120 as "Inbound"

(bold to show what was highlighted).

If I just run the search, everything works. I can change date/time ranges, etc., with no problems. Why is the display as a dashboard not working?

I have removed the "rename ..." to no effect.

If I go back to "timechart span=30m sum(VOLUME) by SNOD ..." and then do post process renames it works though.

Tags (3)
0 Karma
1 Solution

tyronetv
Communicator

Okay. I'm a klutz.

The lookup file and lookup definition were set properly but when I added the automatic lookup definition I missed resetting the permissions to all.

My bad.

View solution in original post

0 Karma

tyronetv
Communicator

Okay. I'm a klutz.

The lookup file and lookup definition were set properly but when I added the automatic lookup definition I missed resetting the permissions to all.

My bad.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...