Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dashboard panel

rahul2gupta
Path Finder
‎07-12-2020 06:42 PM

Hi @isoutamo ,

When I am running the following query in verbose mode it giving me results but not in fast mode.

index=symantec sourcetype=sep12:scan status=completed | stats count

As Dashboard panel uses fast mode.What necessary modification do I need to do to get the results in fast mode.

Regards,

Rahul

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-13-2020 12:32 AM

@rahul2gupta,

So you might have multiple field extraction and hence it needs explicit mention about fields

So you may use

index=symantec sourcetype="sep12:scan" |fields * 
|where status="completed"
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution

renjith_nair
Legend
‎07-12-2020 10:19 PM

@rahul2gupta 

It's normally because of the extracted fields. Use "|fields " to explicitly specify the field

Try

index=symantec sourcetype=sep12:scan |fields status|where status=completed |stats count

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

rahul2gupta
Path Finder
‎07-12-2020 10:29 PM

Hi @renjith_nair ,

I tried but it did not worked.Please find the screen shot below.

rahul2gupta_0-1594618015069.png

rahul2gupta_1-1594618092608.png

 

rahul2gupta_2-1594618130946.png

Regards,

Rahul

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎07-12-2020 10:39 PM

Can you try this in fast mode and see if you are getting events with status?

 

index=symantec sourcetype="sep12:scan" status=*

 

OR

index=symantec sourcetype="sep12:scan" |fields *
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

rahul2gupta
Path Finder
‎07-12-2020 11:34 PM

Hi @renjith_nair .

I ran the following query index=symantec sourcetype="sep12:scan" |fields * and I could able to get events in fast mode.

Please find the screen shot below.

dash.PNG

But it did not worked for index=symantec sourcetype="sep12:scan" status=* 

dash1.PNG

Regards,

Rahul

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-13-2020 12:32 AM

@rahul2gupta,

So you might have multiple field extraction and hence it needs explicit mention about fields

So you may use

index=symantec sourcetype="sep12:scan" |fields * 
|where status="completed"
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

rahul2gupta
Path Finder
‎07-13-2020 12:35 AM

Hi @renjith_nair ,

I used the following query index=symantec sourcetype=sep12:scan status=completed |fields * |stats count

and it worked.

Regards,

Rahul

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...