I've created a dashboard with some panels, and I am getting different event counts than when I run the reports individually. The event counts from dashboards is less than the event counts run through a report. I've read some posts mentioning that we can do some settings in savesearches.conf file to run the dashboard in verbose mode. I have Splunk User role access, and I don't have admin access to perform these changes. Please suggest if there is a way to get this resolved through Simple/Advance XML dashboard configuration.
Fast mode events count: 10222
Why would you want to run this in verbose mode? The only difference between modes is field discovery..
Are you using post processing in your dashboard? Are your fields not getting passed?
The only difference is not only field discovery but the count of events also differ. If I run the dashboard panel as a report in fast mode, the events count is same when I run the report from a dashboard. There is mismatch of results while running the search from dashboard from the search ran from report or a general verbose mode search.
This is not true. The only difference from verbose and fast mode is field discovery. It's not going to magically change the count because of the mode..
You should first see if your looking over identical timeranges.. It you're using relative time then you will definitely have different result counts. You should also post your search
Hi @skoelpin,
I ran the searches in verbose and fast mode. I took screenshots, to show the differences of events I am seeing when I run the search in fast mode versus verbose mode. But I am unable to post the screenshots here. You can try to see the difference by running simple query with a transforming command in it.
Once again, are you using non-relative time when doing this?
This is my query:
index="abc" attrs.io.kubernetes.pod.namespace="xyz" earliest=-60d@d latest=now
| rex "ERRORCODE=-(?\d{4})"
| stats count by EC
You're using relative time since you do not have latest
specified.. It is expected to get a different result count each time you run the search. If you used non-relative time then you should get identical counts each time you run the search
Try running this search to test it
index="abc" attrs.io.kubernetes.pod.namespace="xyz" earliest=-60d@d latest=-59d@d
| rex "ERRORCODE=-(?\d{4})"
| stats count by Database_Error_Code
I tried the method you mentioned above. Please find screenshot below. The count is 10,222 in fast mode and the count is 10,600 with verbose mode.
Pos the image with identical SPL in verbose mode
Please find the second image in answer section.
Image looks broken
Could please try opening the browser in chrome?
I'm using Chrome.. First image shows and second image is broken. Please get this straightened out before replying back
Please see below, for the Verbose image, I've uploade. Please let me know if you can see without any issue.