Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Empty fields in pie-chart and stats table
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear support
in the form below, I have the following issues:
1. Empty pie-chart named Domains for field dest_nt_host
2. Empty RecordNumber and dest_nt_host at the (single) stats table in the end
<form>
<label>Win Domain Logon Success</label>
<search id="win_dm_logon_sc">
<query>index=os_windows EventCode=4776 Error_Code=0x0 | search user="$field_user$" Source_Workstation="$field_ws$"</query>
<earliest>$field_time.earliest$</earliest>
<latest>$field_time.latest$</latest>
</search>
<fieldset submitButton="false">
<input type="time" token="field_time">
<label>Time</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="field_user" searchWhenChanged="true">
<label>User</label>
<default>*</default>
</input>
<input type="text" token="field_ws" searchWhenChanged="true">
<label>Workstation</label>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<title>Windows Domain Logons</title>
<chart>
<search base="win_dm_logon_sc">
<query>timechart count</query>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Events</title>
<single>
<search base="win_dm_logon_sc">
<query>stats count</query>
</search>
<option name="drilldown">none</option>
</single>
</panel>
<panel>
<title>Users</title>
<chart>
<search base="win_dm_logon_sc">
<query>stats count by user | rename user as User</query>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
<panel>
<title>Workstations</title>
<chart>
<search base="win_dm_logon_sc">
<query>stats count by Source_Workstation | rename Source_Workstation as Workstation</query>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
<panel>
<title>Domains</title>
<chart>
<search base="win_dm_logon_sc">
<query>stats count by dest_nt_host | rename dest_nt_host as Dest_Domain</query>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
</row>
<row>
<panel>
<table>
<title>Windows Domain Successful Logons</title>
<search base="win_dm_logon_sc">
<query>table _time RecordNumber user Source_Workstation dest_nt_host </query>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<option name="wrap">false</option>
</table>
</panel>
</row>
</form>
both fields do exist and do have data - 100%.
I can verify this when I click on the magnifier search button and open them in a search.
cannot find why.
please advise
best regards
Altin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your base search is a non transforming base search, see this comment in the heading "Use a transforming base search"
https://docs.splunk.com/Documentation/Splunk/8.0.6/Viz/Savedsearches
<search id="win_dm_logon_sc">
<query>index=os_windows EventCode=4776 Error_Code=0x0 | search user="$field_user$" Source_Workstation="$field_ws$"</query>
<earliest>$field_time.earliest$</earliest>
<latest>$field_time.latest$</latest>
</search>You will need to specify a 'fields' statement at the end of your search, which can be wildcards if you need, but best to limit it to what you need to preserve resources.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your base search is a non transforming base search, see this comment in the heading "Use a transforming base search"
https://docs.splunk.com/Documentation/Splunk/8.0.6/Viz/Savedsearches
<search id="win_dm_logon_sc">
<query>index=os_windows EventCode=4776 Error_Code=0x0 | search user="$field_user$" Source_Workstation="$field_ws$"</query>
<earliest>$field_time.earliest$</earliest>
<latest>$field_time.latest$</latest>
</search>You will need to specify a 'fields' statement at the end of your search, which can be wildcards if you need, but best to limit it to what you need to preserve resources.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @bowesmana
This did work
Still I do not get one thing.
Out of the same search - some fields do appear - and some not. two pie-charts get filled - and one not.
I would perfectly understand if all columns would show empty, and so for all charts.
This way is very misleading.
Why does this happen ?
best
Altin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@altink without seeing your data and query, it's difficult to know why one is not working
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
