Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my dashboard panel query only working in search mode(verbose)?

sureshkrovi
Explorer
‎11-14-2018 02:27 PM

Hi,

I've observed that my dashboard panel query(that has stats) has returned no records when I have stats in it. But, when I tried to run the same query in the search page by selecting verbose mode, it returned the result.

When I remove stats, it's working in the dashboard panel, but I need to count the records using stats per the requirement. Would like to check if there is a way to set verbose mode in a saved dashboard panel query

index=db_errors | dbxlookup lookup=QERROR|eval earlyDate=strftime("1541836800", "%Y-%m-%d")|  eval latestDate=strftime("1542268800", "%Y-%m-%d")| eval createdOn=strptime(CREATED_ON, "%Y-%m-%d %H:%M:%S")|eval createdOn1=strftime(createdOn, "%Y-%m-%d")|where createdOn1>=earlyDate AND createdOn1
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎11-15-2018 12:21 AM

@sureshkrovi ,

If you trying stats on an extracted field, try explicitly mentioning the field list before your stats command. 

index=db_errors | dbxlookup lookup=QERROR|eval earlyDate=strftime("1541836800", "%Y-%m-%d")
| eval latestDate=strftime("1542268800", "%Y-%m-%d")| eval createdOn=strptime(CREATED_ON, "%Y-%m-%d %H:%M:%S")
|eval createdOn1=strftime(createdOn, "%Y-%m-%d")|where createdOn1>=earlyDate AND createdOn1
|fields field1,field2,..fieldn |stats count by yourfieldlists
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution

sureshkrovi
Explorer
‎11-15-2018 10:46 AM

Never mind,this is resolved.fields should be before lookup not at the end as the filter(where clause) is getting null created_date if we put fields at end that fails the query.

0 Karma
Reply
Solved! Jump to solution

harishalipaka
Motivator
‎11-15-2018 02:39 AM

hi @sureshkrovi

Try like this .

Run your query in search page.click on visualization select which one you want.
just save it as dashboard ,If you want to add in exciting dashboard or new dashboard with your own choice.

Thanks
Harish
0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎11-15-2018 12:21 AM

@sureshkrovi ,

If you trying stats on an extracted field, try explicitly mentioning the field list before your stats command. 

index=db_errors | dbxlookup lookup=QERROR|eval earlyDate=strftime("1541836800", "%Y-%m-%d")
| eval latestDate=strftime("1542268800", "%Y-%m-%d")| eval createdOn=strptime(CREATED_ON, "%Y-%m-%d %H:%M:%S")
|eval createdOn1=strftime(createdOn, "%Y-%m-%d")|where createdOn1>=earlyDate AND createdOn1
|fields field1,field2,..fieldn |stats count by yourfieldlists
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

sureshkrovi
Explorer
‎11-15-2018 10:14 AM

One more observation is in search mode I see message "No data found yet" while query is running ,but in dashboard execution I didn't see this message.

Is anything we can suspect query execution time?e.g dasbhboard execution stops when query takes long time

0 Karma
Reply
Solved! Jump to solution

sureshkrovi
Explorer
‎11-15-2018 10:09 AM

what yourfieldlists refer here.Is it single field or do I need to mention all the fields.I tried this option but didn't work out.Note that ERROR_CATEGORY_NAME is the lookup output field
|eval createdOn1=strftime(createdOn, "%Y-%m-%d")|where createdOn1>=earlyDate AND createdOn1

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...