Dashboards & Visualizations

How to set search mode to verbose in Simple XML and in HTML dashboards?

reachsenthilnat
New Member

Splunk version : 6.4.2

I have dashboards that display historic data (last 18 months of data) grouped at the month level. In my developer box , I am able to see the 18 months of data. But in Production environment, it shows only 3-4 months of data. I ran different searches with earliest/latest options and i saw that in production, it always gives only about 100 days of data in dashboards.

When i did the same using search box, i realized that if i change the search mode to verbose, it gives me all the data. My searches are transforming searches that use timechart. Now how do i set the search mode to verbose in Simple XML and in HTML dashboards?

If that cannot be set (which is want some other Splunk answers were saying), then is there a workaround to this? Can i run this query in background in verbose mode and show the already calculated results? (My data is not dynamic. these reports are at monthly level and the view changes once in a month only).

==Edit==

I added the query sample below.

source="*InputData.csv" earliest=-18mon | timechart span=1mon avg(fieldA) as AvgOfFieldA

==End-Edit===

Thanks,
Senthil Nathan

0 Karma

yannK
Splunk Employee
Splunk Employee

to get the fields extracted, simply require them in the search.

example :

my search 

will return the default fields, and run as it was in fast mode.

versus

 mysearch | stats count by fieldA fieldB fieldC

 mysearch | fields _time _raw myfieldD myfieldE

the second group of searches will extract the fields as requested (like a smart search will do)

Lowell
Super Champion

You can always do | fields * as well, if you really want ALL the fields. Of course, this is a last resort that should be reserved for situations when really don't know ahead of time what fields you will need.

0 Karma

reachsenthilnat
New Member

Thank you yannK for the reply. I added my sample query to the question. Tried yours as well.

My original query:

source="*InputData.csv" earliest=-18mon | timechart span=1mon avg(fieldA ) as Average_fieldA

modified as you suggested:

source="*InputData.csv" earliest=-18mon | fields _time _raw fieldA | timechart span=1mon avg(fieldA ) as Average_fieldA

Both these queries return results of 18 months, if i run them in verbose mode. In fast mode or in smart mode, it returns only about 3 months of data. (So may be smart search is also not extracting data as expected?)

some more details. My file is a CSV file and i use the field names in CSV for this search. I dont use any data model or extracted fields.

thanks again for your time.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...