Re: Dashboard Panel Showing Different Results from...

rescobar713 · ‎07-02-2015

I'm trying to save the following search as a single value dashboard panel (from a report):

activity_type=40 direct_object_type=102 | dedup direct_dw_object_id sortby -activity_ts | where ![...] | ... | stats distinct_count(object_id)

When I run this in search or as a report I get what I believe to be an accurate result (446). However, when I try to convert it from a report to a dashboard panel it returns 81, which I'm sure is incorrect. The time range for all three of these formats (search, report, and dashboard panel) is set to All time, so I don't think it has anything to do with that.

Any idea what could be causing this?

woodcock · ‎07-02-2015

I am sure the problem is the time being used for your search. Use this search in your panel and I am sure it will work as a work-around (but you should circle back around and figure out what is broken in your time settings for your panel:

earliest=0 latest=2000000000 activity_type=40 direct_object_type=102 | dedup direct_dw_object_id sortby -activity_ts | where ![...] | ... | stats distinct_count(object_id)

rescobar713 · ‎07-06-2015

I still get the same result. Like I said, I don't think it has to to with time, but I still have no idea what else would be causing this. Any suggestions on what I can do to figure out what's going wrong?

woodcock · ‎07-06-2015

It is very poor form to not specify both a complete index= directive and also a complete sourcetype= directive. Add both of these to your search and see what happens.

rescobar713 · ‎07-06-2015

I only have one index, and all the events in that index have the same sourcetype. Adding those statements did nothing. I do not think this is simply a syntactical issue, it seems that the search in the dashboard panel is being conducted differently from the search in the report or the standalone search.

Thanks for your help so far, though. This issue is pretty pesky.

woodcock · ‎07-06-2015

Are you using a lookup in your hidden stuff? Maybe it is somehow out of scope/context in the dashbaord. Without your complete search, it is hard to guess/help more.

rescobar713 · ‎07-06-2015

I opened the search twice in the job inspector (once from the report, and once from the dashboard panel) and I found some discrepancies in the "Execution cost" section.

Report (correct results):
Component | Invocations | Input count | Output count
command.dedup | 1 | 1,300,000 | 2,442
command.eval | 2 | 3,694 | 3,694
command.prededup | 29 | 165,081 | 9,565
command.where | 2 | 4,289 | 2,294

Dashboard Panel (incorrect results):
Component | Invocations | Input count | Output count
command.dedup | 1 | 2,350,000 | 2,442
command.eval | 2 | 4,312 | 4,312
command.prededup | 52 | 165,081 | 21,389
command.where | 2 | 4,598 | 2,813

rescobar713 · ‎07-06-2015

Ok, here is the full search:

activity_type=40 direct_object_type=102 | dedup direct_dw_object_id sortby -activity_ts | where ![search deleted_ts object_type=102 | fields object_id] | eval last_modified_epoch=activity_ts | eval modAgeSeconds = ((now() - last_modified_epoch)/31536000) | where modAgeSeconds > 1 | stats count as Total

The hidden parts were a subsearch and some eval arithmetic. I don't see how the evals would cause inconsistencies, but perhaps the subsearch is failing in the dashboard? I'm not sure how/why that would happen.

Dashboard Panel Showing Different Results from Report

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)