Dashboards & Visualizations

Panel(single value,table) values are changing to 0 when there is values

dtccsundar
Path Finder

Hi,

I have created a single value and statistical table panel using the below base search ,

base search :

<search id="search1">
<query>index=s (sourcetype=S_Crd OR sourcetype=S_Fire) | fields *</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>

 

In search:

<single>
<search base="search1">
<query>

| rex field=_raw "Fire=(?&lt;FireEye&gt;.*?),"

| rex mode=sed field=Fire "s/\\\"//g"

| stats values(*) as * values(sourcetype) as sourcetype by sysid

| fillnull value=""

|evalOS=case(like(OS,"%Windows%"),"Windows",like(OS,"%Linux%"),"Linux",like(OS,"%Missing%"),"Others",like(OS,"%Solaris%"),"Solaris",like(OS,"%AIX%"),"AIX",1=1,"Others")

|search $os$ 

|stats count</query>

</search>

sometime I am getting correct values but suddenly it displays 0 in all panels including this.After giving ctrl + F5 ,the issue gets resolved .May i know the reason for this and how to resolve this in dashboard.

 

 

 

Labels (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

are you sure that your base search didn't exceed splunk limit 500k events? You should avoid base searches without transforming commands (like stats, chart, time chart etc.).

Here is more about it

r. Ismo

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...