No data is getting displayed on the dashboard.
Following is the query.
index=main sourcetype=wms_oracle_sessions | bucket span=5m _time | stats count AS sessions by _time,warehouse,machine,program | sum(sessions) AS wsessions by _time,warehouse | timechart avg(wsessions) by warehouse
We know the reason for data not getting displayed on dashboard.
Sourcetype wms_oracle_sessions does not exist.
Does it help if we create the sourcetype wms_oracle_sessions
Sourcetypes do not need to exist on the search head. Does the search return results if you remove everything after the raw search? (from the first pipe, till the end)
Hi @pratapa ,
sum sin't a Splunk command, it's a funtion to use in stats or timechart or other commands.
So you should rebuild your search in something like this:
index=main sourcetype=wms_oracle_sessions | bucket span=5m _time | stats count AS sessions by _time,warehouse,machine,program | timechart avg(sum(sessions)) by warehouse
or better (I cannot test it):
index=main sourcetype=wms_oracle_sessions | timechart span=5m avg(dc(program)) by warehouse
Yes it helps with indexed data after you have assign that sourcetype to your data on ingestion phase. Old events still haven’t that sourcetype attribute without reindexing it.
How to assi gn the sourcetype wms_oracle_sessions to the data on ingestion phase.
We have created sourcetype wms_oracle_sessions but no luck.
No data is getting displayed on the dashboard
I see that your search is almost the same of answer https://community.splunk.com/t5/Getting-Data-In/Sourcetype-Missing/m-p/509256#M86624
maybe the solution for that answer could help you!