Splunk Enterprise Security
Highlighted

Single value delta in glass tables ES showing up as N/A but drilling down shows results

Explorer

I'm having an issue where building a glass table in ES for a single value delta ad-hoc search is showing up as N/A, but drilling into it shows me the visualization I want.

My search:
| inputlookup file.csv
| stats count by CASECLOSURETIME
| eval NewTime=strptime(CASE
CLOSURETIME,"%Y-%m-%d %H:%M:%S")
| eval time=NewTime | sort -time
| timechart count span=1mon
| tail 3
| sort _time

Essentially CASE_CLOSURETIME, is in the same time format as _time, and shows me the results I want with the historical trend as a single value visualization in SPL, but cannot get the same to show up in Glass Tables.

Highlighted

Re: Single value delta in glass tables ES showing up as N/A but drilling down shows results

Explorer

Sorry, here's a better search (still the same results) but I know Glass Tables viz needs to end with timechart:

| inputlookup file.csv
| stats count by CASECLOSURETIME
| eval NewTime=strptime(CASE
CLOSURETIME,"%Y-%m-%d %H:%M:%S")
| eval _time=NewTime
| timechart count span=1mon

0 Karma
Highlighted

Re: Single value delta in glass tables ES showing up as N/A but drilling down shows results

Ultra Champion

Did you ever find a solution to this? Running into the same today. Feel like the delta viz expects some specific fields (value and delta or so?) rather than just a timechart.

0 Karma
Highlighted

Re: Single value delta in glass tables ES showing up as N/A but drilling down shows results

Explorer

No I did not, as someone stated below the timechart w/ lookups isn't part of the design scheme (doesn't really make sense to me why that cant be added).
The route I was told to go from Splunk was to get the data ingested into an index and then call it that way.

0 Karma
Highlighted

Re: Single value delta in glass tables ES showing up as N/A but drilling down shows results

SplunkTrust
SplunkTrust

Because of the recent comment: Like the thread owner said, glass tables can only display single values. A timechart isn't part of that. See the docs for a description of what works.

Skalli

0 Karma
Highlighted

Re: Single value delta in glass tables ES showing up as N/A but drilling down shows results

Ultra Champion

This question was about the single-value delta visualization, right? That typically is based on timechart like data? Also: it works fine if I use the sparkline visualization. Just the single-value delta visualization fails.

0 Karma