Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Dashboard - search returns null

DarrellR
Loves-to-Learn Lots
‎01-31-2025 06:32 AM

I have created a dashboard that reads a MQ flow that contains messages to different vendors.  I have created panels for the different vendors and am trying to group the messages for each of those vendors.  Each Vendor will receive 2 message types ASM and SSM.  2 panels work but the other does not, it only returns NULL yet there are messages.

DarrellR_0-1738333599908.png

The search is exactly the same for all three with the exception of the Vendor address, here is the search

index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY
| timechart count by DR1

The XXXXXX is the Vendor address and .YYYYYYY is the sender address.  The sender address will stay the same but the each panel will have a different XXXXXX value

I can not figure out why only that 1 does not work and returns NULL when it receives basically the same messages just with a different XXXXXX value

 

I hope someone here can help me

Labels (1)
Labels
0 Karma
Reply

DarrellR
Loves-to-Learn Lots
‎01-31-2025 06:55 AM

Here is the events from left to right for the 3 panels.

DarrellR_1-1738335090326.pngDarrellR_2-1738335179531.pngDarrellR_3-1738335266949.png

So here the DR1 is not showing but the 1st and 3rd panels work but the middle one does not.  The characters in the RED box is what the DR1 is looking for either SSM or ASM

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-31-2025 06:41 AM

Hi @DarrellR ,

are you sure that all the events have the DR1 field?

you could try to add DR1=* to the main search.

Ciao.

Giuseppe

0 Karma
Reply

DarrellR
Loves-to-Learn Lots
‎01-31-2025 06:43 AM

Hi @gcusello ,

 

Thanks for the quick reply!  I am new to this, where would I add the DR1=* in my search?

 

Also not all the panels have the DR1 in there events but they still work.  This is part of why I don't understand why some work and not others.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-31-2025 11:00 PM

Hi @DarrellR ,

as also @isoutamo said, you should put it in the main search.

Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-31-2025 07:01 AM

Here is your original search 

index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY
| timechart count by DR1

You should do it like

index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY DR1=*
| timechart count by DR1

or

index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY
| eval DR1 = coalesce(DR1, "DR1 N/A")
| timechart count by DR1

 https://docs.splunk.com/Documentation/Splunk/9.4.0/SearchReference/ConditionalFunctions#coalesce.28....

 

0 Karma
Reply

DarrellR
Loves-to-Learn Lots
‎01-31-2025 07:15 AM

Thanks but neither of those seem to work, I still get NULL even though there are messages.  This is very frustrating

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-31-2025 07:20 AM

Are you sure that those queries are used on those panels? Or are there some other filtering after those queries which remove all results?

Can you share those panels source and also your sample data (with anonymous values when needed)?

0 Karma
Reply

DarrellR
Loves-to-Learn Lots
‎01-31-2025 07:24 AM

This is panel 1

DarrellR_0-1738337063427.png

 

0 Karma
Reply

DarrellR
Loves-to-Learn Lots
‎01-31-2025 07:26 AM

This is panel 2 [the one showing NULL]

DarrellR_0-1738337165388.png

 

0 Karma
Reply

DarrellR
Loves-to-Learn Lots
‎01-31-2025 07:28 AM

Here is the source for the 2nd panel

<chart>
<title>SchedConnect Messages to {nnnn]</title>
<search>
<query>index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY
| timechart count by DR1</query>
<earliest>$TimePickerKielToken.earliest$</earliest>
<latest>$TimePickerKielToken.latest$</latest>
<refresh>1m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="charting.axisTitleX.text">Time</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.chart">column</option>
<option name="charting.drilldown">all</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
<panel>
<chart>

0 Karma
Reply

DarrellR
Loves-to-Learn Lots
‎01-31-2025 07:29 AM

here is the source for the 1st panel

<row>
<panel>
<chart>
<title>SchedConnect Messages to [nnnnn]</title>
<search>
<query>index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY
| timechart count by DR1</query>
<earliest>$TimePickerKielToken.earliest$</earliest>
<latest>$TimePickerKielToken.latest$</latest>
<refresh>1m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="charting.axisTitleX.text">Time</option>
<option name="charting.chart">column</option>
<option name="charting.drilldown">all</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<chart>

0 Karma
Reply

DarrellR
Loves-to-Learn Lots
‎01-31-2025 07:43 AM

Here is the source code all together for those panels - left to right, might be easier to debug

<row>
<panel>
<chart>
<title>SchedConnect Messages to [nnnnn]</title>
<search>
<query>index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY
| timechart count by DR1</query>
<earliest>$TimePickerKielToken.earliest$</earliest>
<latest>$TimePickerKielToken.latest$</latest>
<refresh>1m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="charting.axisTitleX.text">Time</option>
<option name="charting.chart">column</option>
<option name="charting.drilldown">all</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<chart>
<title>SchedConnect Messages to {nnnnn]</title>
<search>
<query>index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYY
| timechart count by DR1</query>
<earliest>$TimePickerKielToken.earliest$</earliest>
<latest>$TimePickerKielToken.latest$</latest>
<refresh>1m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="charting.axisTitleX.text">Time</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.chart">column</option>
<option name="charting.drilldown">all</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<chart>
<title>SchedConnect Messages to [nnnnn]</title>
<search>
<query>index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY
| timechart count by DR1</query>
<earliest>$TimePickerKielToken.earliest$</earliest>
<latest>$TimePickerKielToken.latest$</latest>
<refresh>1m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="charting.axisTitleX.text">Time</option>
<option name="charting.chart">column</option>
<option name="charting.drilldown">all</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-31-2025 07:48 AM

Thanx. Next time when you paste something please use </> code block to avoid character changes etc. 

Based on those I suppose that your data haven't correct values what you are looking for. You should check it by clicking magnifying class on right bottom corner of your dashboard's individual panel. This opens exactly same search you to separate window/tab and you can see what events it found. Then you can debug it by e.g. commenting rows away from bottom to top. 

0 Karma
Reply

DarrellR
Loves-to-Learn Lots
‎01-31-2025 08:01 AM

Hi @isoutamo ,

 

I will do that next time I post, thank you.  I have checked the search and aside from the XXXXXX values being the address for the different vendors, each panel uses the exact same search, it is just for 1 I get NULL values even though the messages are there when I look at the events

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...