Solved: Re: dashboard creation

sushmitha_mj · ‎03-27-2015

I created a deployment app to make a forwarder pick data from a location and index it lets say index A.
Then I created another app whose index is index A , so I can use this app for data display.

Now I see data in the index, and search it using the"index=A" command.
But is this the best way to do it?
Should I not be able to see the data on the app's data summary screen?
Can I build dashboards by using "index=A" as a part of the query?

masonmorales · ‎03-27-2015

Can I build dashboards by using "index=A" as a part of the query?

Yes.

Now I see data in the index, and search it using the"index=A" command. But is this the best way to do it?

Yes, it is, but as you continue to add different kinds of data you will also want to specify in your searches: index=a sourcetype=b source=c host=d when possible.

Should I not be able to see the data on the app's data summary screen?

Correct. You need to execute a search (or build a dashboard with panels that have searches) in order to see your data. The summary screen just lets you know that data is being indexed.

View solution in original post

marcoscala · ‎03-28-2015

In the Data Summary you see events from your (the user your using) default indexes. If index A is not among your default indexes, you won't see the number of events in the summary data.
To add it as default index, go to Settings - user management and change the role setting the user belongs to. that apples also for Admin user.

sushmitha_mj · ‎03-30-2015

@marcoscala
I do not find user management under my settings and I also, do not find the index name anywhere in the data summary. I only find hosts, sources, sourcetype. where should I look for the index?

sushmitha_mj · ‎03-30-2015

It worked...................... 🙂
Thanks...

masonmorales · ‎03-27-2015

Can I build dashboards by using "index=A" as a part of the query?

Yes.

Now I see data in the index, and search it using the"index=A" command. But is this the best way to do it?

Yes, it is, but as you continue to add different kinds of data you will also want to specify in your searches: index=a sourcetype=b source=c host=d when possible.

Should I not be able to see the data on the app's data summary screen?

Correct. You need to execute a search (or build a dashboard with panels that have searches) in order to see your data. The summary screen just lets you know that data is being indexed.

sushmitha_mj · ‎03-30-2015

@masonmorales

I did perform a search. BuT I still cannot see the data in the summary. The problem is, it takes a lot of time to load the data (I have millions of records), each time I execute the search.

How do I get over this problem?

sushmitha_mj · ‎03-30-2015

It worked... thanks...... 🙂

masonmorales · ‎03-30-2015

No problem. In regards to improving load time, you may to take a look at the resources in this post: http://answers.splunk.com/answers/224261/does-accelerated-searching-cache-data-so-its-faste.html

dashboard creation

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

Join the Conversation