Dashboards & Visualizations

SIngle value visalisation is not working using sub search

marellasunil
Communicator

I am trying to build single value visualisation using search & sub search, But it is not working.

<dashboard>
  <label>SImple dashboard</label>
  <search id="search1"> <query>earliest=-60m latest=now  index=XXXXXX </query> </search>
<row>
    <panel>
      <single>
        <title>Successfull Logins</title>
        <search base="search1">
          <query> where like(sourcetype, "XXXXXX") |  stats count as Total</query>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">all</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xd93f3c","0x65a637"]</option>
        <option name="rangeValues">[0]</option>
        <option name="showSparkline">0</option>
        <option name="showTrendIndicator">0</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="underLabel">TOtal</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>     
</dashboard>

juansegovia
Engager

I'm having the exact issue. The trend visualization on the single item panel works with the full search but it just shows a flat line when using a base search.

0 Karma

sundareshr
Legend

Try changing you base search and postprocess search like this

base search:

earliest=-60m latest=now  index=XXXXXX | stats count by sourcetype

postprocess search

| search sourcetype="*XXXXXX*"
0 Karma

inventsekar
Super Champion

actually, this one works fine.

please run this query on search and see if it returns any events -
earliest=-30m latest=now index=XXXX | where like(sourcetype, "ABC") | stats count as Total

0 Karma

marellasunil
Communicator

I Am getting number (8).

Even after opening the dashboard, IF i click search icon below dashboard view, Full splunk search is running and getting the result (8)

But in the dashboard view single value visualisation, the value showing is 0 (zero)

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!