Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dashboard Statistics Table Not Showing

daniel_augustyn
Contributor
‎04-08-2016 01:17 PM

I am building a dashboard and I've been having an issue with presenting Statistics Tables on the dashboard while logged in as another user. I wanted to set it up on the big screens in the SOC using another user account. After I created all dashboards, they are all showing fine, except for the Statistics Table ones. Any idea why I can't show Statistics Tables dashboard to other users via dashboards. I can see it fine on my screen, but on the big screens it shows "No results found".

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-03-2016 07:32 AM

It is likely a permissions problem somewhere. Either the other users do not have permission to access the index, or do not have access to a macro that is used in the search or something like that. Strip off consecutive pipes from the right side until the search works and then see why the other user does not have access to the thing that you just removed.

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-03-2016 07:32 AM

It is likely a permissions problem somewhere. Either the other users do not have permission to access the index, or do not have access to a macro that is used in the search or something like that. Strip off consecutive pipes from the right side until the search works and then see why the other user does not have access to the thing that you just removed.

Reply
Solved! Jump to solution

daniel_augustyn
Contributor
‎05-03-2016 10:05 AM

I put both users in the same roles: power, admin, and user and this didn't help. Where else should I be looking at the permissions?

0 Karma
Reply
Solved! Jump to solution

daniel_augustyn
Contributor
‎05-03-2016 02:40 PM

This query works just fine: index=proxy category=Malicious* | table src, action, cs_method, dest_host, category
but this one doesn't: index=proxy category=Malicious* | stats count by src, action, cs_method, dest_host, category

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-03-2016 10:33 PM

OK, then you should figure out what field extraction or app creates the src, action, cs_method, dest_host, and category fields. Then make sure both users have permission to those. If any field in the by clause is missing/null, then the entire command will fail (drop all events).

0 Karma
Reply
Solved! Jump to solution

daniel_augustyn
Contributor
‎05-04-2016 04:53 PM

And this totally fixed the issue!! Thanks a lot, some of the regex didn't have global permission to be read by other users.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-29-2016 07:05 AM

If this is your search:

index=proxy category=Malicious* | stats count by src, action, cs_method, dest_host, category | sort limit=10 -count

Then the problem is the limit=10 which is the wrong syntax. Try this:

index=proxy category=Malicious* | stats count by src, action, cs_method, dest_host, category | sort 10 -count
0 Karma
Reply
Solved! Jump to solution

daniel_augustyn
Contributor
‎05-02-2016 10:48 AM

Not sure why this was a wrong syntax, when with the logged in user who created this dashboard, it was showing just fine. It's didn't fix the issue by removing 'limit='.

0 Karma
Reply
Solved! Jump to solution

daniel_augustyn
Contributor
‎05-02-2016 10:51 AM

It's so weird, the events are showing under Events tab but Splunk can't generate dashboard from these events. It only works with the user which created this dashboard. I can share it because it doesn't show under other users.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-09-2016 10:15 AM

SHOW US YOUR SEARCH (yes, it makes a difference)!

There are MANY reasons for such a thing but the one that is the most common and frustrating is when searches do not contain an explicit index= ... portion and relies instead on the user's (role's) Indexes searched by default setting. Add an explicit index=... expression and see if that works.

0 Karma
Reply
Solved! Jump to solution

daniel_augustyn
Contributor
‎04-28-2016 04:12 PM

index=proxy category=Malicious* | stats count by src, action, cs_method, dest_host, category | sort limit=10 -count

0 Karma
Reply
Solved! Jump to solution

daniel_augustyn
Contributor
‎04-28-2016 04:12 PM

There is something wrong with this. It doesn't work again.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-08-2016 02:00 PM

Does the user using which you're running the dashboard has access to the the data (index specifically) on which the table is built?

0 Karma
Reply
Solved! Jump to solution

daniel_augustyn
Contributor
‎04-08-2016 02:55 PM

yes, when you present the same dashboard as Lines, Bars, etc, it shows up. The Statistics Table options doesn't want to show the data. It still shows "no results found".

0 Karma
Reply
Solved! Jump to solution

twinspop
Influencer
‎04-08-2016 02:26 PM

And also the permissions on knowledge objects, like fields, lookups, etc. If you, for example, do a stats count by private_field, you will get a no results message

0 Karma
Reply
Solved! Jump to solution

daniel_augustyn
Contributor
‎04-08-2016 02:58 PM

The same dashboards are showing as Bars, Lines, Areas, but not Tables.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...