Dashboards & Visualizations

Empty fields in pie-chart and stats table

altink
Contributor

Dear support

in the form below, I have the following issues:

1. Empty pie-chart named Domains for field dest_nt_host
2. Empty RecordNumber and dest_nt_host at the (single) stats table in the end

 

 

 

 

 

<form>
  <label>Win Domain Logon Success</label>
  <search id="win_dm_logon_sc">
    <query>index=os_windows EventCode=4776 Error_Code=0x0 | search user="$field_user$" Source_Workstation="$field_ws$"</query>
    <earliest>$field_time.earliest$</earliest>
    <latest>$field_time.latest$</latest>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="field_time">
      <label>Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="field_user" searchWhenChanged="true">
      <label>User</label>
      <default>*</default>
    </input>
    <input type="text" token="field_ws" searchWhenChanged="true">
      <label>Workstation</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Windows Domain Logons</title>
      <chart>
        <search base="win_dm_logon_sc">
          <query>timechart count</query>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Events</title>
      <single>
        <search base="win_dm_logon_sc">
          <query>stats count</query>
        </search>
        <option name="drilldown">none</option>
      </single>
    </panel>
    <panel>
      <title>Users</title>
      <chart>
        <search base="win_dm_logon_sc">
          <query>stats count by user | rename user as User</query>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
    <panel>
      <title>Workstations</title>
      <chart>
        <search base="win_dm_logon_sc">
          <query>stats count by Source_Workstation | rename Source_Workstation as Workstation</query>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
    <panel>
      <title>Domains</title>
      <chart>
        <search base="win_dm_logon_sc">
          <query>stats count by dest_nt_host | rename dest_nt_host as Dest_Domain</query>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Windows Domain Successful Logons</title>
        <search base="win_dm_logon_sc">
          <query>table _time RecordNumber user Source_Workstation dest_nt_host </query>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="wrap">false</option>
      </table>
    </panel>
  </row>
</form>

 

 

 

both fields do exist and do have data - 100%.
I can verify this when I click on the magnifier search button and open them in a search.


cannot find why.
please advise

best regards

Altin

 

Labels (1)
1 Solution

bowesmana
Super Champion

@altink 

Your base search is a non transforming base search, see this comment in the heading "Use a transforming base search"

https://docs.splunk.com/Documentation/Splunk/8.0.6/Viz/Savedsearches

  <search id="win_dm_logon_sc">
    <query>index=os_windows EventCode=4776 Error_Code=0x0 | search user="$field_user$" Source_Workstation="$field_ws$"</query>
    <earliest>$field_time.earliest$</earliest>
    <latest>$field_time.latest$</latest>
  </search>

 You will need to specify a 'fields' statement at the end of your search, which can be wildcards if you need, but best to limit it to what you need to preserve resources.

 

View solution in original post

bowesmana
Super Champion

@altink 

Your base search is a non transforming base search, see this comment in the heading "Use a transforming base search"

https://docs.splunk.com/Documentation/Splunk/8.0.6/Viz/Savedsearches

  <search id="win_dm_logon_sc">
    <query>index=os_windows EventCode=4776 Error_Code=0x0 | search user="$field_user$" Source_Workstation="$field_ws$"</query>
    <earliest>$field_time.earliest$</earliest>
    <latest>$field_time.latest$</latest>
  </search>

 You will need to specify a 'fields' statement at the end of your search, which can be wildcards if you need, but best to limit it to what you need to preserve resources.

 

View solution in original post

altink
Contributor

Thank you @bowesmana
This did work

Still I do not get one thing.
Out of the same search - some fields do appear - and some not. two pie-charts get filled - and one not.

I would perfectly understand if all columns would show empty, and so for all charts.
This way is very misleading.
Why does this happen ?

best
Altin

 

 

bowesmana
Super Champion

@altink without seeing your data and query, it's difficult to know why one is not working

 

Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.