Dashboards & Visualizations

Empty fields in pie-chart and stats table

altink
Builder

Dear support

in the form below, I have the following issues:

1. Empty pie-chart named Domains for field dest_nt_host
2. Empty RecordNumber and dest_nt_host at the (single) stats table in the end

 

 

 

 

 

<form>
  <label>Win Domain Logon Success</label>
  <search id="win_dm_logon_sc">
    <query>index=os_windows EventCode=4776 Error_Code=0x0 | search user="$field_user$" Source_Workstation="$field_ws$"</query>
    <earliest>$field_time.earliest$</earliest>
    <latest>$field_time.latest$</latest>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="field_time">
      <label>Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="field_user" searchWhenChanged="true">
      <label>User</label>
      <default>*</default>
    </input>
    <input type="text" token="field_ws" searchWhenChanged="true">
      <label>Workstation</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Windows Domain Logons</title>
      <chart>
        <search base="win_dm_logon_sc">
          <query>timechart count</query>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Events</title>
      <single>
        <search base="win_dm_logon_sc">
          <query>stats count</query>
        </search>
        <option name="drilldown">none</option>
      </single>
    </panel>
    <panel>
      <title>Users</title>
      <chart>
        <search base="win_dm_logon_sc">
          <query>stats count by user | rename user as User</query>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
    <panel>
      <title>Workstations</title>
      <chart>
        <search base="win_dm_logon_sc">
          <query>stats count by Source_Workstation | rename Source_Workstation as Workstation</query>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
    <panel>
      <title>Domains</title>
      <chart>
        <search base="win_dm_logon_sc">
          <query>stats count by dest_nt_host | rename dest_nt_host as Dest_Domain</query>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Windows Domain Successful Logons</title>
        <search base="win_dm_logon_sc">
          <query>table _time RecordNumber user Source_Workstation dest_nt_host </query>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="wrap">false</option>
      </table>
    </panel>
  </row>
</form>

 

 

 

both fields do exist and do have data - 100%.
I can verify this when I click on the magnifier search button and open them in a search.


cannot find why.
please advise

best regards

Altin

 

Labels (1)
1 Solution

bowesmana
SplunkTrust
SplunkTrust

@altink 

Your base search is a non transforming base search, see this comment in the heading "Use a transforming base search"

https://docs.splunk.com/Documentation/Splunk/8.0.6/Viz/Savedsearches

  <search id="win_dm_logon_sc">
    <query>index=os_windows EventCode=4776 Error_Code=0x0 | search user="$field_user$" Source_Workstation="$field_ws$"</query>
    <earliest>$field_time.earliest$</earliest>
    <latest>$field_time.latest$</latest>
  </search>

 You will need to specify a 'fields' statement at the end of your search, which can be wildcards if you need, but best to limit it to what you need to preserve resources.

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

@altink 

Your base search is a non transforming base search, see this comment in the heading "Use a transforming base search"

https://docs.splunk.com/Documentation/Splunk/8.0.6/Viz/Savedsearches

  <search id="win_dm_logon_sc">
    <query>index=os_windows EventCode=4776 Error_Code=0x0 | search user="$field_user$" Source_Workstation="$field_ws$"</query>
    <earliest>$field_time.earliest$</earliest>
    <latest>$field_time.latest$</latest>
  </search>

 You will need to specify a 'fields' statement at the end of your search, which can be wildcards if you need, but best to limit it to what you need to preserve resources.

 

altink
Builder

Thank you @bowesmana
This did work

Still I do not get one thing.
Out of the same search - some fields do appear - and some not. two pie-charts get filled - and one not.

I would perfectly understand if all columns would show empty, and so for all charts.
This way is very misleading.
Why does this happen ?

best
Altin

 

 

bowesmana
SplunkTrust
SplunkTrust

@altink without seeing your data and query, it's difficult to know why one is not working

 

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...