Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk queries return no data in dashboard

poojamistry
Engager
‎07-09-2010 02:22 PM

I have the following Splunk query that I have used in a dashboard:

[search source="Stg" earliest=-15d cs_uri_token_2="0012c" cs_uri_filepath="web/mapservicecontroller*"| stats avg(time_taken) by cs_uri_filepath | sort - avg(time_taken) | head 10 | fields + cs_uri_filepath] | timechart span=1d avg(time_taken) by cs_uri_filepath

Above query returns the data when I run it in the search view. But when used in a dashboard, for some reason, Splunk seems to be appending an extra keyword 'Search' to the query. The query looks like:

search [search source="Stg" earliest=-15d cs_uri_token_2="0012c" cs_uri_filepath="web/mapservicecontroller*"| stats avg(time_taken) by cs_uri_filepath | sort - avg(time_taken) | head 10 | fields + cs_uri_filepath] | timechart span=1d avg(time_taken) by cs_uri_filepath

The above query does not return any data and hence the dashboard does not display the graph. Also, I do not face this issue when I have my dashboard designed for single panel that uses the query that I have mentioned in the beginning of the post. The moment I add 2-3 panels(even if all the panels use same query) in my dashboard, the query gets modified to add extra 'Search' keyword. Has anyone faced this issue before and knows how to get rid of it?

Tags (1)
Reply

sideview
SplunkTrust
SplunkTrust
‎07-15-2010 08:36 PM

Actually, although you're not typing in the 'search' command into the search UI, it does put on there under the hood.

I think you're comparing apples and oranges -- what you see in the search bar (with no search), to the search that the dashboards kick off, which has a leading search command.
You can verify this by looking at the search that the search UI is kicking off - that'll have a search too even though you didnt put one there.

So it's something else causing the difference.

As far as working around the problem -- I agree with Paolo - I dont see the benefit of using a subsearch here - it'll be more straightforward and it'll run faster if you just do the same processing in the main search.

If letting timechart calculate the top 10 values doesnt work for you, you can make more advanced determinations by using streamstats to put aggregate statistics on the events themselves and then using search or where to compare and filter each event row before it gets to the timechart.

0 Karma
Reply

Paolo_Prigione
Builder
‎07-13-2010 09:05 PM

Hi, is your intention to only timechart the 10 cs_uri_filepath which have the greatest avg(time_taken)? In that case I think you could replace your query with:

source="Stg" earliest=-15d cs_uri_token_2="0012c" cs_uri_filepath="web/mapservicecontroller*"
| timechart span=1d agg=sum useother=false limit=10 avg(time_taken) by cs_uri_filepath
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...