Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

No data is getting displayed on dashboard

pratapa
Explorer
‎07-10-2020 04:19 AM

 

No data is getting displayed on the dashboard.

 

Following is the query.

index=main sourcetype=wms_oracle_sessions | bucket span=5m _time | stats count AS sessions by _time,warehouse,machine,program | sum(sessions) AS wsessions by _time,warehouse | timechart avg(wsessions) by warehouse

 

We know the reason for data not getting displayed on dashboard.

Sourcetype wms_oracle_sessions does not exist.

Does it help if we create the sourcetype  wms_oracle_sessions

Labels (1)
Labels
0 Karma
Reply

rabbidroid
Path Finder
‎08-17-2020 09:35 AM

Sourcetypes do not need to exist on the search head. Does the search return results if you remove everything after the raw search? (from the first pipe, till the end)

0 Karma
Reply

gcusello
Esteemed Legend
‎07-10-2020 05:21 AM

Hi @pratapa ,

sum sin't a Splunk command, it's a funtion to use in stats or timechart or other commands.

So you should rebuild your search in something like this:

index=main sourcetype=wms_oracle_sessions 
| bucket span=5m _time 
| stats count AS sessions by _time,warehouse,machine,program 
| timechart avg(sum(sessions)) by warehouse

or better (I cannot test it):

index=main sourcetype=wms_oracle_sessions 
| timechart span=5m avg(dc(program)) by warehouse

Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-10-2020 05:08 AM

Yes it helps with indexed data after you have assign that sourcetype to your data on ingestion phase. Old events still  haven’t that sourcetype attribute without reindexing it.

r.ismo

0 Karma
Reply

pratapa
Explorer
‎08-17-2020 03:24 AM

How to assi gn the sourcetype wms_oracle_sessions to the data on ingestion phase.

Tags (1)
0 Karma
Reply

pratapa
Explorer
‎07-15-2020 04:25 AM

We have created sourcetype wms_oracle_sessions but no luck.

No data is getting displayed on the dashboard

0 Karma
Reply

gcusello
Esteemed Legend
‎07-15-2020 04:37 AM

Hi @pratapa,

I see that your search is almost the same of answer https://community.splunk.com/t5/Getting-Data-In/Sourcetype-Missing/m-p/509256#M86624

maybe the solution for that answer could help you!

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...