Getting Data In

No data is getting displayed on dashboard

pratapa
Explorer

 

No data is getting displayed on the dashboard.

 

Following is the query.

index=main sourcetype=wms_oracle_sessions | bucket span=5m _time | stats count AS sessions by _time,warehouse,machine,program | sum(sessions) AS wsessions by _time,warehouse | timechart avg(wsessions) by warehouse

 

We know the reason for data not getting displayed on dashboard.

Sourcetype wms_oracle_sessions does not exist.

Does it help if we create the sourcetype  wms_oracle_sessions

Labels (1)
0 Karma

rabbidroid
Path Finder

Sourcetypes do not need to exist on the search head. Does the search return results if you remove everything after the raw search? (from the first pipe, till the end)

0 Karma

gcusello
Esteemed Legend

Hi @pratapa ,

sum sin't a Splunk command, it's a funtion to use in stats or timechart or other commands.

So you should rebuild your search in something like this:

index=main sourcetype=wms_oracle_sessions 
| bucket span=5m _time 
| stats count AS sessions by _time,warehouse,machine,program 
| timechart avg(sum(sessions)) by warehouse

or better (I cannot test it):

index=main sourcetype=wms_oracle_sessions 
| timechart span=5m avg(dc(program)) by warehouse

Ciao.

Giuseppe

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Yes it helps with indexed data after you have assign that sourcetype to your data on ingestion phase. Old events still  haven’t that sourcetype attribute without reindexing it.

r.ismo

0 Karma

pratapa
Explorer

How to assi gn the sourcetype wms_oracle_sessions to the data on ingestion phase.

Tags (1)
0 Karma

pratapa
Explorer

We have created sourcetype wms_oracle_sessions but no luck.

No data is getting displayed on the dashboard

0 Karma

gcusello
Esteemed Legend

Hi @pratapa,

I see that your search is almost the same of answer https://community.splunk.com/t5/Getting-Data-In/Sourcetype-Missing/m-p/509256#M86624

maybe the solution for that answer could help you!

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...