Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SIngle value visalisation is not working using sub search

marellasunil
Communicator
‎08-24-2016 03:53 AM

I am trying to build single value visualisation using search & sub search, But it is not working.

<dashboard>
  <label>SImple dashboard</label>
  <search id="search1"> <query>earliest=-60m latest=now  index=XXXXXX </query> </search>
<row>
    <panel>
      <single>
        <title>Successfull Logins</title>
        <search base="search1">
          <query> where like(sourcetype, "XXXXXX") |  stats count as Total</query>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">all</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xd93f3c","0x65a637"]</option>
        <option name="rangeValues">[0]</option>
        <option name="showSparkline">0</option>
        <option name="showTrendIndicator">0</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="underLabel">TOtal</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>     
</dashboard>
Reply

juansegovia
Engager
‎07-31-2019 12:47 PM

I'm having the exact issue. The trend visualization on the single item panel works with the full search but it just shows a flat line when using a base search.

0 Karma
Reply

sundareshr
Legend
‎08-25-2016 05:49 AM

Try changing you base search and postprocess search like this

base search: 

earliest=-60m latest=now  index=XXXXXX | stats count by sourcetype

postprocess search

| search sourcetype="*XXXXXX*"
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-24-2016 04:26 AM

actually, this one works fine.

please run this query on search and see if it returns any events -
earliest=-30m latest=now index=XXXX | where like(sourcetype, "ABC") | stats count as Total

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

marellasunil
Communicator
‎08-25-2016 02:00 AM

I Am getting number (8).

Even after opening the dashboard, IF i click search icon below dashboard view, Full splunk search is running and getting the result (8)

But in the dashboard view single value visualisation, the value showing is 0 (zero)

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...