Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Data not matching btw panel and search app

Ram2
Explorer
‎05-05-2024 05:08 PM

When we use a below query, in dashboard panel data is not showing correctly, if  we open the panel query in "open in search data is showing correctly.

How to fix this issue??

index=dam-idx (host_ip=12.234.201.22 OR host_ip=10.457.891.34 OR host_ip=10.234.34.18 OR host_ip=10.123.363.23) repoter.dataloadingintiated
|stats count by local
|append
[search index=dam-idx (host_ip=12.234.201.22 OR host_ip=10.457.891.34 OR host_ip=10.234.34.18 OR host_ip=10.123.363.23) task.dataloadedfromfiles NOT "error" NOT "end_point" NOT "failed_data"
|stats count as FilesofDMA]
|append
[search index=dam-idx (host_ip=12.234.201.22 OR host_ip=10.457.891.34 OR host_ip=10.234.34.18 OR host_ip=10.123.363.23) "app.mefwebdata - jobintiated"
|eval host = case(match(host_ip, "12.234"), "HOP"+substr(host, 120,24), match(host_ip, "10.123"), "HOM"+substr(host, 120,24))
|eval host = host + " - " + host_ip
|stats count by host
|fields - count
|appendpipe
[stats count
|eval Error="Job didn't run today"
|where count==0
|table Error]]
|stats values(host) as "Host Data Details", values(Error) as Error, values(local) as "Files created localley on AMP", values(FilesofDMA) as "File sent to DMA"
Labels (1)
Labels
0 Karma
Reply

Ram2
Explorer
‎05-05-2024 06:15 PM

Panel displaying in dashboard:

Ram2_0-1714958133593.png

 



When we open the panel in search showing as below:(this is the correct data)

Host Data DetailsErrorFiles created localley on AMPFile sent to DMA
HOM-jjderf - 10.123.34.18
HOM-iytgh - 10.123.363.23
HOP-wghjy - 12.234.201.22
HOP-tyhgt - 12.234.891.34		 22186

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎05-05-2024 08:09 PM

Your search is rather odd - firstly you are doing

...
| stats count by local

and at the end you are doing 

| stats ... values(local) as ...

which doesn't make a lot of sense, unless local is always 221 in your example.

Is this dashboard studio or classic and are you using any base searches here?

 

0 Karma
Reply

Ram2
Explorer
‎05-05-2024 08:14 PM

this is a classic dashboard and no base searches used.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎05-05-2024 08:31 PM

Can you post your XML for the entire <panel>

inside a code formatting block <>

 

0 Karma
Reply

Ram2
Explorer
‎05-05-2024 08:45 PM

<form version="1.1" theme="dark"> <label>DMT Dashboard</label> <fieldset submitButton="false"> <input type="time" token="timepicker"> <label>TimeRange</label> <default> <earliest>-15m@m</earliest> <latest>now</latest> </default> </input></fieldset> <row> <panel> <table> <search> <query> index=dam-idx (host_ip=12.234.201.22 OR host_ip=10.457.891.34 OR host_ip=10.234.34.18 OR host_ip=10.123.363.23) repoter.dataloadingintiated |stats count by local |append [search index=dam-idx (host_ip=12.234.201.22 OR host_ip=10.457.891.34 OR host_ip=10.234.34.18 OR host_ip=10.123.363.23) task.dataloadedfromfiles NOT "error" NOT "end_point" NOT "failed_data" |stats count as FilesofDMA] |append [search index=dam-idx (host_ip=12.234.201.22 OR host_ip=10.457.891.34 OR host_ip=10.234.34.18 OR host_ip=10.123.363.23) "app.mefwebdata - jobintiated" |eval host = case(match(host_ip, "12.234"), "HOP"+substr(host, 120,24), match(host_ip, "10.123"), "HOM"+substr(host, 120,24)) |eval host = host + " - " + host_ip |stats count by host |fields - count |appendpipe [stats count |eval Error="Job didn't run today" |where count==0 |table Error]] |stats values(host) as "Host Data Details", values(Error) as Error, values(local) as "Files created localley on AMP", values(FilesofDMA) as "File sent to DMA" <query> <earliest>timepicker.earliest</earliest> <latest>timepicker.latest</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="percentageRow">false</option> <option name="rowNumbers">true</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="host_ip> <colorPalette type="map">{"12.234.201.22":#53A051, "10.457.891.34":#53A051,"10.234.34.18":#53A051,"10.123.363.23":#53A051}</colorPalette> </format> <format type="color" field="local"> <colorPalette type="list">[#DC4E41,#53A051]</colorPalette> <scale type="threshold">8</scale> </format> <format type="color" field="FilesofDMA"> <colorPalette type="list">[#DC4E41,#53A051]</colorPalette> <scale type="threshold">8</scale> </format> <format type="color" field="Files created localley on AMP"> <colorPalette type="list">[#DC4E41,#53A051]</colorPalette> <scale type="threshold">8</scale> </format> <format type="color" field="File sent to DMA"> <colorPalette type="list">[#DC4E41,#53A051]</colorPalette> <scale type="threshold">8</scale> </format> <format type="color" field="Error"> <colorPalette type="map">{"Job didn't run today":#DC4E41}</colorPalette> </format> <format type="color" field="Host Data Details"> <colorPalette type="map">{"HOM-jjderf - 10.123.34.18":#53A051"HOM-iytgh - 10.123.363.23":#53A051, HOP-wghjy - 12.234.201.22":#53A051, "HOP-tyhgt - 12.234.891.34":#53A051}</colorPalette> </format> </table> </panel> </row> </form>

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎05-05-2024 09:15 PM

Please edit your post and use the code block feature when posting code, otherwise it's unreadable

bowesmana_0-1714968912315.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-06-2024 12:54 AM

As I said in a duplicate post, you don't appear to be referencing the timepicker token correctly - try using $timepicker.earliest$ and $timepicker.latest$

0 Karma
Reply

Ram2
Explorer
‎05-07-2024 05:44 AM

What do you mean by timepicker token correctly - try using $timepicker.earliest$ and $timepicker.latest$
i am using the same, i am not sure what is the issue here:

<form version="1.1" theme="dark">
<label>DMT Dashboard</label>
<fieldset submitButton="false">
<input type="time" token="timepicker">
<label>TimeRange</label>
<default>
<earliest>-15m@m</earliest>
<latest>now</latest>
</default>
</input>
<row>
<panel>
<table>
<search>
<query>
index=dam-idx (host_ip=12.234.201.22 OR host_ip=10.457.891.34 OR host_ip=10.234.34.18 OR host_ip=10.123.363.23)  repoter.dataloadingintiated
|stats count by local
|append
[search index=dam-idx (host_ip=12.234.201.22 OR host_ip=10.457.891.34 OR host_ip=10.234.34.18 OR host_ip=10.123.363.23)  task.dataloadedfromfiles NOT "error" NOT "end_point" NOT "failed_data"
|stats count as FilesofDMA]
|append
[search index=dam-idx (host_ip=12.234.201.22 OR host_ip=10.457.891.34 OR host_ip=10.234.34.18 OR host_ip=10.123.363.23)   "app.mefwebdata - jobintiated"
|eval host = case(match(host_ip, "12.234"), "HOP"+substr(host, 120,24), match(host_ip, "10.123"), "HOM"+substr(host, 120,24))
|eval host = host + " - " + host_ip
|stats count by host
|fields - count
|appendpipe
[stats count
|eval Error="Job didn't run today"
|where count==0
|table Error]]
|stats values(host) as "Host Data Details", values(Error) as Error, values(local) as "Files created localley on AMP", values(FilesofDMA) as "File sent to DMA"
<query>
<earliest>timepicker.earliest</earliest>
<latest>timepicker.latest</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentageRow">false</option>
<option name="rowNumbers">true</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="color" field="host_ip>
<colorPalette type="map">{"12.234.201.22":#53A051, "10.457.891.34":#53A051,"10.234.34.18":#53A051,"10.123.363.23":#53A051}</colorPalette>
</format>
<format type="color" field="local">
<colorPalette type="list">[#DC4E41,#53A051]</colorPalette>
<scale type="threshold">8</scale>
</format>
<format type="color" field="FilesofDMA">
<colorPalette type="list">[#DC4E41,#53A051]</colorPalette>
<scale type="threshold">8</scale>
</format>
<format type="color" field="Files created localley on AMP">
<colorPalette type="list">[#DC4E41,#53A051]</colorPalette
<scale type="threshold">8</scale>
</format>
<format type="color" field="File sent to DMA">
<colorPalette type="list">[#DC4E41,#53A051]</colorPalette>
<scale type="threshold">8</scale>
</format>
<format type="color" field="Error">
<colorPalette type="map">{"Job didn't run today":#DC4E41}</colorPalette>
</format>
<format type="color" field="Host Data Details">
<colorPalette type="map">{"HOM-jjderf - 10.123.34.18":#53A051"HOM-iytgh - 10.123.363.23":#53A051, HOP-wghjy - 12.234.201.22":#53A051, "HOP-tyhgt - 12.234.891.34":#53A051}</colorPalette>
</format>
</table>
</panel>
</row>
</form>
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎05-07-2024 08:36 PM

Your search is written in a very strange way for Splunk SPL - so it makes it hard to understand what your data looks like and what you are actually trying to get to.

Based on your posted search, this is a more efficient replacement - try this search and see if this comes up with the same output as your basic search

index=dam-idx (host_ip=12.234.201.22 OR host_ip=10.457.891.34 OR host_ip=10.234.34.18 OR host_ip=10.123.363.23) 

   (repoter.dataloadingintiated) OR
   (task.dataloadedfromfiles NOT "error" NOT "end_point" NOT "failed_data") OR
   ("app.mefwebdata - jobintiated")

| eval host=if(match(_raw, "(?i)app\.mefwebdata - jobintiated"), case(match(host_ip, "12.234"), "HOP"+substr(host, 120,24), match(host_ip, "10.123"), "HOM"+substr(host, 120,24)) + " - " + host_ip , null())
| eval FilesofDMA=if(match(_raw, "task\.dataloadedfromfiles"), 1, 0)
| stats values(host) as "Host Data Details" values(Error) as Error values(local) as "Files created localley on AMP" sum(FilesofDMA) as "File sent to DMA" 
| appendpipe 
    [ stats dc("Host Data Details") as count 
    | eval Error="Job didn't run today" 
    | where count==0 
    | table Error]

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-07-2024 05:47 AM 
<earliest>timepicker.earliest</earliest>
<latest>timepicker.latest</latest>

This shows you are not using the tokens correctly

0 Karma
Reply

Ram2
Explorer
‎05-07-2024 06:04 AM

got it its a typo error we used token correctly($timepicker.earliest$ and $timepicker.latest$)  but data is not matching in dashboard panel and when i open in search

may i know what is the issue here.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎05-06-2024 03:17 PM

Ah, I knew I'd see this asked before...

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎05-05-2024 08:30 PM

and is local=221 for all events?

0 Karma
Reply

Ram2
Explorer
‎05-05-2024 08:48 PM

Yes Local=221 for all events

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎05-05-2024 05:53 PM

What is not displaying correctly - what is different between the two tables?

 

0 Karma
Reply

Ram2
Explorer
‎05-05-2024 06:17 PM

There is no difference in the query, same query in dashboard panel and same used in search too

0 Karma
Reply

Ram2
Explorer
‎05-05-2024 06:16 PM

Panel displaying in dashboard:

Ram2_0-1714958174455.png

 



When we open the panel in search showing as below:(this is the correct data)

Host Data DetailsErrorFiles created localley on AMPFile sent to DMA
HOM-jjderf - 10.123.34.18
HOM-iytgh - 10.123.363.23
HOP-wghjy - 12.234.201.22
HOP-tyhgt - 12.234.891.34		 22186

 

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...