Dashboards & Visualizations

Load dashboard panels in verbose mode?

Path Finder

Is there any way I can load charts in a dashboard based on a verbose search? I tried saving a report with verbose which shows all the intended results but still loads in fast mode when linked to a dashboard panel.

I'm using Splunk 6

Here's a search that might show the difference a bit better...

eventtype=tickets assignee=aUser | convert timeformat="%Y-%m-%d %T" mktime(created_at) | fieldformat created_at=strftime(created_at,"%Y-%m-%d %T") | convert timeformat="%Y-%m-%d %T" mktime(closed_at) | fieldformat closed_at=strftime(closed_at,"%Y-%m-%d %T") | eval DaysOpen=round((now() - created_at)/3600/24,0) | eval DaysFromClose=round((now() - closed_at)/3600/24,0) | stats first(status) as status first(summary) as summary first(DaysOpen) as DaysOpen first(DaysFromClose) as DaysFromClose first(due_at) as due_at by ticket_number,assignee | search (status="open" AND DaysOpen>30) OR (status="closed" AND DaysFromClose<30) | top status

returns a count of

open = 18
closed = 17

searching the same thing in verbose mode returns a count of

open = 18
closed = 18

The number of results for both search modes is the same until I run the last search command:

search (status="open" AND DaysOpen>30) OR (status="closed" AND DaysFromClose<30)
Tags (2)
0 Karma

Builder

I have the exact problem. Following link text and link text, I tried | fields * as well as eventstats as opposed to stats. It made no difference. Only verbose will give the correct result. (I also need to do this in Simple XML.)

0 Karma

SplunkTrust
SplunkTrust

yuan - best to create a new question with your details and link to this one, and you'll hopefully get feedback that is more useful to you.

Use eventstats instead of stats.

0 Karma

Path Finder

I've edited my original post to clarify this a bit better

0 Karma

SplunkTrust
SplunkTrust

How do the results differ between fast mode and verbose mode?

0 Karma

Path Finder

eventtype=tickets assignee=aUser | eval DaysSinceUpdate=round((now() - _time)/3600/24,0) | convert timeformat="%Y-%m-%d %T" mktime(due_at) | fieldformat due_at=strftime(due_at,"%Y-%m-%d %T") | eval DaysOverdue=round((now() - due_at)/3600/24,0) | stats first(status) as status values(summary) as Summary first(DaysSinceUpdate) as DaysSinceUpdate first(DaysOverdue) as DaysOverdue values(due_at) as due_at by ticket_number,creator | search (status="open" AND (DaysSinceUpdate>6 OR DaysOverdue>0)) | sort -DaysSinceUpdate

0 Karma

SplunkTrust
SplunkTrust

What's the search you're running?

0 Karma

SplunkTrust
SplunkTrust

You can do set the search mode (fast | smart | verbose) in advanced xml. Go to below link and search for module "SearchMode"

http://docs.splunk.com/Documentation/Splunk/6.0.3/AdvancedDev/ModuleReference

Example implementation can be seen in flashtimeline view in Search app.