Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

No data is getting displayed on dashboard

pratapa
Explorer
‎07-10-2020 04:19 AM

 

No data is getting displayed on the dashboard.

 

Following is the query.

index=main sourcetype=wms_oracle_sessions | bucket span=5m _time | stats count AS sessions by _time,warehouse,machine,program | sum(sessions) AS wsessions by _time,warehouse | timechart avg(wsessions) by warehouse

 

We know the reason for data not getting displayed on dashboard.

Sourcetype wms_oracle_sessions does not exist.

Does it help if we create the sourcetype  wms_oracle_sessions

Labels (1)
Labels
0 Karma
Reply

rabbidroid
Path Finder
‎08-17-2020 09:35 AM

Sourcetypes do not need to exist on the search head. Does the search return results if you remove everything after the raw search? (from the first pipe, till the end)

0 Karma
Reply

gcusello
Esteemed Legend
‎07-10-2020 05:21 AM

Hi @pratapa ,

sum sin't a Splunk command, it's a funtion to use in stats or timechart or other commands.

So you should rebuild your search in something like this:

index=main sourcetype=wms_oracle_sessions 
| bucket span=5m _time 
| stats count AS sessions by _time,warehouse,machine,program 
| timechart avg(sum(sessions)) by warehouse

or better (I cannot test it):

index=main sourcetype=wms_oracle_sessions 
| timechart span=5m avg(dc(program)) by warehouse

Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-10-2020 05:08 AM

Yes it helps with indexed data after you have assign that sourcetype to your data on ingestion phase. Old events still  haven’t that sourcetype attribute without reindexing it.

r.ismo

0 Karma
Reply

pratapa
Explorer
‎08-17-2020 03:24 AM

How to assi gn the sourcetype wms_oracle_sessions to the data on ingestion phase.

Tags (1)
0 Karma
Reply

pratapa
Explorer
‎07-15-2020 04:25 AM

We have created sourcetype wms_oracle_sessions but no luck.

No data is getting displayed on the dashboard

0 Karma
Reply

gcusello
Esteemed Legend
‎07-15-2020 04:37 AM

Hi @pratapa,

I see that your search is almost the same of answer https://community.splunk.com/t5/Getting-Data-In/Sourcetype-Missing/m-p/509256#M86624

maybe the solution for that answer could help you!

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...