Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Load dashboard panels in verbose mode?

clymbouris
Path Finder
‎05-05-2014 03:35 AM

Is there any way I can load charts in a dashboard based on a verbose search? I tried saving a report with verbose which shows all the intended results but still loads in fast mode when linked to a dashboard panel.

I'm using Splunk 6

Here's a search that might show the difference a bit better...

eventtype=tickets assignee=aUser | convert timeformat="%Y-%m-%d %T" mktime(created_at) | fieldformat created_at=strftime(created_at,"%Y-%m-%d %T") | convert timeformat="%Y-%m-%d %T" mktime(closed_at) | fieldformat closed_at=strftime(closed_at,"%Y-%m-%d %T") | eval DaysOpen=round((now() - created_at)/3600/24,0) | eval DaysFromClose=round((now() - closed_at)/3600/24,0) | stats first(status) as status first(summary) as summary first(DaysOpen) as DaysOpen first(DaysFromClose) as DaysFromClose first(due_at) as due_at by ticket_number,assignee | search (status="open" AND DaysOpen>30) OR (status="closed" AND DaysFromClose<30) | top status

returns a count of

open = 18
closed = 17

searching the same thing in verbose mode returns a count of

open = 18
closed = 18

The number of results for both search modes is the same until I run the last search command:

search (status="open" AND DaysOpen>30) OR (status="closed" AND DaysFromClose<30)
Tags (2)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-16-2017 01:01 PM

I have the exact problem. Following link text and link text, I tried | fields * as well as eventstats as opposed to stats. It made no difference. Only verbose will give the correct result. (I also need to do this in Simple XML.)

0 Karma
Reply

DalJeanis
SplunkTrust
SplunkTrust
‎02-16-2017 01:52 PM

yuan - best to create a new question with your details and link to this one, and you'll hopefully get feedback that is more useful to you.

Reply

devin_stonecyph
Explorer
‎09-10-2014 03:19 PM

Use eventstats instead of stats.

0 Karma
Reply

clymbouris
Path Finder
‎05-06-2014 11:22 PM

I've edited my original post to clarify this a bit better

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-06-2014 10:11 AM

How do the results differ between fast mode and verbose mode?

0 Karma
Reply

clymbouris
Path Finder
‎05-06-2014 03:23 AM

eventtype=tickets assignee=aUser | eval DaysSinceUpdate=round((now() - _time)/3600/24,0) | convert timeformat="%Y-%m-%d %T" mktime(due_at) | fieldformat due_at=strftime(due_at,"%Y-%m-%d %T") | eval DaysOverdue=round((now() - due_at)/3600/24,0) | stats first(status) as status values(summary) as Summary first(DaysSinceUpdate) as DaysSinceUpdate first(DaysOverdue) as DaysOverdue values(due_at) as due_at by ticket_number,creator | search (status="open" AND (DaysSinceUpdate>6 OR DaysOverdue>0)) | sort -DaysSinceUpdate

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-05-2014 12:49 PM

What's the search you're running?

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎05-05-2014 07:41 AM

You can do set the search mode (fast | smart | verbose) in advanced xml. Go to below link and search for module "SearchMode"

http://docs.splunk.com/Documentation/Splunk/6.0.3/AdvancedDev/ModuleReference

Example implementation can be seen in flashtimeline view in Search app.

Reply
Get Updates on the Splunk Community!

Observability Unveiled: Navigating OpenTelemetry's Framework and Deployment Options

Observability Unveiled: Navigating OpenTelemetry's Framework and Deployment Options A recent Tech Talk, ...

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...