when using tstats/TSIDX and when using pivot/datamodel, the dashboard panels don't seem to heed the time range set in the time range picker for the dashboard. This doesn't happen all the time, but it happens a lot. and it happens in multiple dashboards. e.g. https://github.com/PaloAltoNetworks-BD/SplunkforPaloAltoNetworks/blob/develop/default/data/ui/views/...
If I add the following line to the WHERE clause of the tstats command, the problem goes away:
WHERE earliest=$earliest$ latest=$latest$
I checked the Splunk 6 known issues page but didn’t see anything about this. is this a bug or this 'is' the appropriate way to use tstats ?
i appreciate your insights.
The default value in the form of
<input type="time" searchWhenChanged="true"> <default> <earliestTime>-60m</earliestTime> <latestTime>now</latestTime> </default> </input>
is valid as of Splunk 6 and is also listed in view.rnc. Major benefit is that this notation allows to specify any time range, not just preconfigured ones.
According to the screenshot the error seems to occur in the
<populatingSearch> of a dropdown input. Have you tried specifying the timerange explicitly there?
<populatingSearch fieldForValue="app" fieldForLabel="app_with_count" earliest="$earliest$" latest="$latest$"> | tstats count(app) as count FROM pan_traffic WHERE groupby app | eval app_with_count = app . " (" . count . ")" </populatingSearch>
After further investigation, it's not just dashboard timepickers that are being ignored. If I go to Pivot and put 'All time' or '2 seconds' I get the same results, which is incorrect. Also, it doesn't affect every server with Splunk, only some (I have one where it is currently reproduced).
I also observed that the data model on that server is accelerated, but under the acceleration info it says 'Size on Disk' is '0.00MB', even though it says the status is 100% completed. Perhaps the datamodel is getting corrupted somehow?
Thanks, I tried adding the earliest and latest parameters to the populatingSearch element, but it didn't change anything. Still getting the same error.
Keep in mind that the error I'm seeing is not on the dashboard in the original question, it's actually on this dashboard which leverages the Data Model:
I don't know if the error in the screenshot is related to the original problem which is the dashboard timepicker is being ignored.
A few things to try/verify:
One. Per the view.rnc for simple xml "only preset values defined in times.conf are recognized". Therefore your specification of:
<input type="time" searchWhenChanged="true">
<default>Last 60 minutes</default>
Two. You do not have to specify earliest/latest in each of the panels or in the where clauses.
It looks like things should work after that (hopefully). You'll also want to use "where * $token1$ $token2$...", this way if all tokens are not populated you still have a valide "where" clause.
I don't think these lines are problems because they were created by Splunk when the dashboard was created. So if those lines are wrong, then Splunk is creating them wrong.
The example link above may be a bad example because it has a workaround for the problem in it. Here is an example that consistently manifests the issue:
Here is an error I get when accessing that dashboard, and the inspection info: