Dear support
in the form below, I have the following issues:
1. Empty pie-chart named Domains for field dest_nt_host
2. Empty RecordNumber and dest_nt_host at the (single) stats table in the end
<form>
<label>Win Domain Logon Success</label>
<search id="win_dm_logon_sc">
<query>index=os_windows EventCode=4776 Error_Code=0x0 | search user="$field_user$" Source_Workstation="$field_ws$"</query>
<earliest>$field_time.earliest$</earliest>
<latest>$field_time.latest$</latest>
</search>
<fieldset submitButton="false">
<input type="time" token="field_time">
<label>Time</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="field_user" searchWhenChanged="true">
<label>User</label>
<default>*</default>
</input>
<input type="text" token="field_ws" searchWhenChanged="true">
<label>Workstation</label>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<title>Windows Domain Logons</title>
<chart>
<search base="win_dm_logon_sc">
<query>timechart count</query>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Events</title>
<single>
<search base="win_dm_logon_sc">
<query>stats count</query>
</search>
<option name="drilldown">none</option>
</single>
</panel>
<panel>
<title>Users</title>
<chart>
<search base="win_dm_logon_sc">
<query>stats count by user | rename user as User</query>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
<panel>
<title>Workstations</title>
<chart>
<search base="win_dm_logon_sc">
<query>stats count by Source_Workstation | rename Source_Workstation as Workstation</query>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
<panel>
<title>Domains</title>
<chart>
<search base="win_dm_logon_sc">
<query>stats count by dest_nt_host | rename dest_nt_host as Dest_Domain</query>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
</row>
<row>
<panel>
<table>
<title>Windows Domain Successful Logons</title>
<search base="win_dm_logon_sc">
<query>table _time RecordNumber user Source_Workstation dest_nt_host </query>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<option name="wrap">false</option>
</table>
</panel>
</row>
</form>
both fields do exist and do have data - 100%.
I can verify this when I click on the magnifier search button and open them in a search.
cannot find why.
please advise
best regards
Altin
Your base search is a non transforming base search, see this comment in the heading "Use a transforming base search"
https://docs.splunk.com/Documentation/Splunk/8.0.6/Viz/Savedsearches
<search id="win_dm_logon_sc"> <query>index=os_windows EventCode=4776 Error_Code=0x0 | search user="$field_user$" Source_Workstation="$field_ws$"</query> <earliest>$field_time.earliest$</earliest> <latest>$field_time.latest$</latest> </search>
You will need to specify a 'fields' statement at the end of your search, which can be wildcards if you need, but best to limit it to what you need to preserve resources.
Your base search is a non transforming base search, see this comment in the heading "Use a transforming base search"
https://docs.splunk.com/Documentation/Splunk/8.0.6/Viz/Savedsearches
<search id="win_dm_logon_sc"> <query>index=os_windows EventCode=4776 Error_Code=0x0 | search user="$field_user$" Source_Workstation="$field_ws$"</query> <earliest>$field_time.earliest$</earliest> <latest>$field_time.latest$</latest> </search>
You will need to specify a 'fields' statement at the end of your search, which can be wildcards if you need, but best to limit it to what you need to preserve resources.
Thank you @bowesmana
This did work
Still I do not get one thing.
Out of the same search - some fields do appear - and some not. two pie-charts get filled - and one not.
I would perfectly understand if all columns would show empty, and so for all charts.
This way is very misleading.
Why does this happen ?
best
Altin
@altink without seeing your data and query, it's difficult to know why one is not working