Splunk version : 6.4.2
I have dashboards that display historic data (last 18 months of data) grouped at the month level. In my developer box , I am able to see the 18 months of data. But in Production environment, it shows only 3-4 months of data. I ran different searches with earliest/latest options and i saw that in production, it always gives only about 100 days of data in dashboards.
When i did the same using search box, i realized that if i change the search mode to verbose, it gives me all the data. My searches are transforming searches that use timechart. Now how do i set the search mode to verbose in Simple XML and in HTML dashboards?
If that cannot be set (which is want some other Splunk answers were saying), then is there a workaround to this? Can i run this query in background in verbose mode and show the already calculated results? (My data is not dynamic. these reports are at monthly level and the view changes once in a month only).
I added the query sample below.
source="*InputData.csv" earliest=-18mon | timechart span=1mon avg(fieldA) as AvgOfFieldA
to get the fields extracted, simply require them in the search.
will return the default fields, and run as it was in fast mode.
mysearch | stats count by fieldA fieldB fieldC mysearch | fields _time _raw myfieldD myfieldE
the second group of searches will extract the fields as requested (like a smart search will do)
Thank you yannK for the reply. I added my sample query to the question. Tried yours as well.
My original query:
source="*InputData.csv" earliest=-18mon | timechart span=1mon avg(fieldA ) as Average_fieldA
modified as you suggested:
source="*InputData.csv" earliest=-18mon | fields time _raw fieldA | timechart span=1mon avg(fieldA ) as AveragefieldA
Both these queries return results of 18 months, if i run them in verbose mode. In fast mode or in smart mode, it returns only about 3 months of data. (So may be smart search is also not extracting data as expected?)
some more details. My file is a CSV file and i use the field names in CSV for this search. I dont use any data model or extracted fields.
thanks again for your time.
You can always do
| fields * as well, if you really want ALL the fields. Of course, this is a last resort that should be reserved for situations when really don't know ahead of time what fields you will need.