Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Events and results returned from search, results n...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have a search that runs to extract garbage collection times from some JVM logs:
sourcetype="WLE_GC_Logs" | rex field=_raw "totalms=\"(?
This searches the logs, extracts the garbage collection time using regex, then finds the anomalies that have occurred and is then supposed to plot them.
-
The problem occurs during the plotting - while the search is running, I can see the report graph being generated, however, as soon as the search finishes, then graph disappears and I'm left with "No results found. Inspect.."
Clicking through gives me the following:
================================
This search has completed and found 5 matching events. However, the transforming commands in the highlighted portion of the following search:
search sourcetype="WLE_GC_Logs" | rex field=_raw "totalms=\"(?
over the time range:
06/01/2012 16:34:51.000 – (latest indexed event)
generated no results. Possible solutions are to:
check the syntax of the commands
verify that the fields expected by the report commands are present in the events
The following messages were returned by the search subsystem:
DEBUG: base lispy: [ AND sourcetype::wle_gc_logs ]
DEBUG: search context: user="admin", app="search", bs-pathname="C:\Program Files\Splunk\etc"
Learn more about troubleshooting empty search results at Splunk Documentation.
================================
What puzzles me is that it plots the graph completely fine for a while, then switches to "No results found". If I pause the search while the graph still looks ok, then there's no problem and I see exactly what is intended.
Any ideas anyone? Bug in the new graphing engine? Splunk version is 4.3
Thanks for any help 🙂
Cheers,
Miles
**EDIT:
So I've found that when I strip off the xyseries section from the end, all the results are returned correctly, which leads me to believe that the xyseries command is doing something funny with the results.
Has anyone encountered any problems graphing results with xyseries?
After some more playing round, I'm fairly certain it's xyseries. I've opened a support case with Splunk - I'll report back with the results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I submitted a case with support (enterprise support is useful) - The support guys have replicated my problem and raised it as a bug, it turns out there was a problem with xyseries after all. Bug #SPL-47278.
Hopefully this will be fixed in the near future as part of a release.
Thanks all.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I submitted a case with support (enterprise support is useful) - The support guys have replicated my problem and raised it as a bug, it turns out there was a problem with xyseries after all. Bug #SPL-47278.
Hopefully this will be fixed in the near future as part of a release.
Thanks all.
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
