Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Real Time Dashboard issues

FraserC1
Path Finder
‎02-23-2018 02:15 AM

Hi,

I've built a real time dashboard but I am seeing some strange issues.
So on the dashboard page itself, it displays perfectly without any issues.
But when I make it my home dashboard, the time inverts and starts showing the oldest events at the top.

I have no idea why this is happening.

Below are some screenshots of the search and the time settings.

Dashboard view

Home page dashboard

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

mayurr98
Super Champion
‎02-23-2018 04:23 AM

try in ascending order sort _time
also can you try | rtorder discard=t ?
Also try | sort -_indextime

let me know if any of the above works!

0 Karma
Reply

FraserC1
Path Finder
‎02-23-2018 06:49 AM

Hi there, I tried | rtorder discard=t and it sorted it!
Are you able to explain what this statement does? Or maybe there is documentation on it?

Thanks for the help!

0 Karma
Reply

mayurr98
Super Champion
‎02-23-2018 06:53 AM

Yes there is a good documentation on rtorder command
https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Rtorder

Accept the answer if it solves your problem!

0 Karma
Reply

FraserC1
Path Finder
‎02-23-2018 02:17 AM

I cannot post anymore photos, so here is the search:

severity_name=alert OR severity_level=alert OR severity_name=critical OR severity_level=critical OR severity_name=emergency OR severity_level=emergency OR severity_name=error OR severity_level=error OR severity_name=informational OR severity_level=informational OR severity_name=notification OR severity_level=notification OR severity_name=warning OR severity_level=warning |fields eventtype

The time is set to: rt-23h & rtnow

0 Karma
Reply

mayurr98
Super Champion
‎02-23-2018 03:23 AM

can you try sort- 0 Time at the end of the search?

0 Karma
Reply

FraserC1
Path Finder
‎02-23-2018 03:26 AM

Hi There,

Sorry I should have said I was added sort - _time at the end of the search and it didn't make a difference.

Interestingly, it seems to have sorted itself out. I'm nt sure if there is some sort of delay or something like that. I've found the custom dashboards to be fairly difficult to set up.

0 Karma
Reply

mayurr98
Super Champion
‎02-23-2018 03:29 AM

can you provide entire query?

0 Karma
Reply

FraserC1
Path Finder
‎02-23-2018 03:40 AM

Sorry what do you mean the entire query?
The only thing I'm searching is with severity_name=alert OR severity_level=alert OR severity_name=critical OR severity_level=critical OR severity_name=emergency OR severity_level=emergency OR severity_name=error OR severity_level=error OR severity_name=informational OR severity_level=informational OR severity_name=notification OR severity_level=notification OR severity_name=warning OR severity_level=warning |fields eventtype

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...