Dashboards & Visualizations

Why is my dashboard panel query only working in search mode(verbose)?

sureshkrovi
Explorer

Hi,

I've observed that my dashboard panel query(that has stats) has returned no records when I have stats in it. But, when I tried to run the same query in the search page by selecting verbose mode, it returned the result.

When I remove stats, it's working in the dashboard panel, but I need to count the records using stats per the requirement. Would like to check if there is a way to set verbose mode in a saved dashboard panel query

index=db_errors | dbxlookup lookup=QERROR|eval earlyDate=strftime("1541836800", "%Y-%m-%d")|  eval latestDate=strftime("1542268800", "%Y-%m-%d")| eval createdOn=strptime(CREATED_ON, "%Y-%m-%d %H:%M:%S")|eval createdOn1=strftime(createdOn, "%Y-%m-%d")|where createdOn1>=earlyDate AND createdOn1
0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@sureshkrovi ,

If you trying stats on an extracted field, try explicitly mentioning the field list before your stats command.

index=db_errors | dbxlookup lookup=QERROR|eval earlyDate=strftime("1541836800", "%Y-%m-%d")
| eval latestDate=strftime("1542268800", "%Y-%m-%d")| eval createdOn=strptime(CREATED_ON, "%Y-%m-%d %H:%M:%S")
|eval createdOn1=strftime(createdOn, "%Y-%m-%d")|where createdOn1>=earlyDate AND createdOn1
|fields field1,field2,..fieldn |stats count by yourfieldlists
Happy Splunking!

View solution in original post

0 Karma

sureshkrovi
Explorer

Never mind,this is resolved.fields should be before lookup not at the end as the filter(where clause) is getting null created_date if we put fields at end that fails the query.

0 Karma

harishalipaka
Motivator

hi @sureshkrovi

Try like this .

Run your query in search page.click on visualization select which one you want.
just save it as dashboard ,If you want to add in exciting dashboard or new dashboard with your own choice.

*********All the Best***********
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@sureshkrovi ,

If you trying stats on an extracted field, try explicitly mentioning the field list before your stats command.

index=db_errors | dbxlookup lookup=QERROR|eval earlyDate=strftime("1541836800", "%Y-%m-%d")
| eval latestDate=strftime("1542268800", "%Y-%m-%d")| eval createdOn=strptime(CREATED_ON, "%Y-%m-%d %H:%M:%S")
|eval createdOn1=strftime(createdOn, "%Y-%m-%d")|where createdOn1>=earlyDate AND createdOn1
|fields field1,field2,..fieldn |stats count by yourfieldlists
Happy Splunking!
0 Karma

sureshkrovi
Explorer

One more observation is in search mode I see message "No data found yet" while query is running ,but in dashboard execution I didn't see this message.

Is anything we can suspect query execution time?e.g dasbhboard execution stops when query takes long time

0 Karma

sureshkrovi
Explorer

what yourfieldlists refer here.Is it single field or do I need to mention all the fields.I tried this option but didn't work out.Note that ERROR_CATEGORY_NAME is the lookup output field
|eval createdOn1=strftime(createdOn, "%Y-%m-%d")|where createdOn1>=earlyDate AND createdOn1

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...