Dashboards & Visualizations

run a dashboard search in verbose mode through Simple XML?

snayani
Explorer

I've created a dashboard with some panels, and I am getting different event counts than when I run the reports individually. The event counts from dashboards is less than the event counts run through a report. I've read some posts mentioning that we can do some settings in savesearches.conf file to run the dashboard in verbose mode. I have Splunk User role access, and I don't have admin access to perform these changes. Please suggest if there is a way to get this resolved through Simple/Advance XML dashboard configuration.

0 Karma

snayani
Explorer

alt text

Please let me know if you can see the 'Verbose' image.

0 Karma

snayani
Explorer

alt text

Fast mode events count: 10222

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Why would you want to run this in verbose mode? The only difference between modes is field discovery..

Are you using post processing in your dashboard? Are your fields not getting passed?

0 Karma

snayani
Explorer

The only difference is not only field discovery but the count of events also differ. If I run the dashboard panel as a report in fast mode, the events count is same when I run the report from a dashboard. There is mismatch of results while running the search from dashboard from the search ran from report or a general verbose mode search.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

This is not true. The only difference from verbose and fast mode is field discovery. It's not going to magically change the count because of the mode..

You should first see if your looking over identical timeranges.. It you're using relative time then you will definitely have different result counts. You should also post your search

0 Karma

snayani
Explorer

Hi @skoelpin,
I ran the searches in verbose and fast mode. I took screenshots, to show the differences of events I am seeing when I run the search in fast mode versus verbose mode. But I am unable to post the screenshots here. You can try to see the difference by running simple query with a transforming command in it.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Once again, are you using non-relative time when doing this?

0 Karma

snayani
Explorer

This is my query:
index="abc" attrs.io.kubernetes.pod.namespace="xyz" earliest=-60d@d latest=now
| rex "ERRORCODE=-(?\d{4})"
| stats count by EC

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You're using relative time since you do not have latest specified.. It is expected to get a different result count each time you run the search. If you used non-relative time then you should get identical counts each time you run the search

Try running this search to test it

index="abc" attrs.io.kubernetes.pod.namespace="xyz" earliest=-60d@d latest=-59d@d
| rex "ERRORCODE=-(?\d{4})" 
| stats count by Database_Error_Code
0 Karma

snayani
Explorer

I tried the method you mentioned above. Please find screenshot below. The count is 10,222 in fast mode and the count is 10,600 with verbose mode.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Pos the image with identical SPL in verbose mode

0 Karma

snayani
Explorer

Please find the second image in answer section.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Image looks broken

0 Karma

snayani
Explorer

Could please try opening the browser in chrome?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

I'm using Chrome.. First image shows and second image is broken. Please get this straightened out before replying back

0 Karma

snayani
Explorer

Please see below, for the Verbose image, I've uploade. Please let me know if you can see without any issue.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...