Is there any way I can load charts in a dashboard based on a verbose search? I tried saving a report with verbose which shows all the intended results but still loads in fast mode when linked to a dashboard panel.
I'm using Splunk 6
Here's a search that might show the difference a bit better...
eventtype=tickets assignee=aUser | convert timeformat="%Y-%m-%d %T" mktime(created_at) | fieldformat created_at=strftime(created_at,"%Y-%m-%d %T") | convert timeformat="%Y-%m-%d %T" mktime(closed_at) | fieldformat closed_at=strftime(closed_at,"%Y-%m-%d %T") | eval DaysOpen=round((now() - created_at)/3600/24,0) | eval DaysFromClose=round((now() - closed_at)/3600/24,0) | stats first(status) as status first(summary) as summary first(DaysOpen) as DaysOpen first(DaysFromClose) as DaysFromClose first(due_at) as due_at by ticket_number,assignee | search (status="open" AND DaysOpen>30) OR (status="closed" AND DaysFromClose<30) | top status
returns a count of
open = 18 closed = 17
searching the same thing in verbose mode returns a count of
open = 18 closed = 18
The number of results for both search modes is the same until I run the last search command:
search (status="open" AND DaysOpen>30) OR (status="closed" AND DaysFromClose<30)
You can do set the search mode (fast | smart | verbose) in advanced xml. Go to below link and search for module "SearchMode"
Example implementation can be seen in flashtimeline view in Search app.
eventtype=tickets assignee=aUser | eval DaysSinceUpdate=round((now() - time)/3600/24,0) | convert timeformat="%Y-%m-%d %T" mktime(dueat) | fieldformat dueat=strftime(dueat,"%Y-%m-%d %T") | eval DaysOverdue=round((now() - dueat)/3600/24,0) | stats first(status) as status values(summary) as Summary first(DaysSinceUpdate) as DaysSinceUpdate first(DaysOverdue) as DaysOverdue values(dueat) as dueat by ticketnumber,creator | search (status="open" AND (DaysSinceUpdate>6 OR DaysOverdue>0)) | sort -DaysSinceUpdate
yuan - best to create a new question with your details and link to this one, and you'll hopefully get feedback that is more useful to you.