Splunk Search

Cluster Map doesnt show correct events


Hello guys,

I have a problem with the "Cluster Map" so I have add a log 2 weeks ago and when I do a search about the last 6 weeks the "Cluster Map" shows me the right results, but if i lower the time range picker for example to the last 15 seconds where cant be any results, because I upload a static log and have no activ monitor on this file.

I got the same results which I had before I decrease the time range picker and the job inspector says to me there are no results in this time range.

This search has completed in 0.276 seconds, but did not match any events. The terms specified in the highlighted portion of the search:
search (source="otrs.log" remoteaddr:) | rex field=remoteaddr "(?\d+.\d+.\d+).\d+" | iplocation remote_addr | geostats count

over the time range: 10/5/17 4:33:27.000 PM - 10/5/17 4:33:42.000 PM

But I get this map:

alt text

If i extend the time pick ranger to "all time" and decrease it again to the last 15 seconds it will show me the results from the "all time" search, but if I decrease it to the last 6 weeks like in my sample picture I got the right results like above.
For me it looks like the visualisation dosnt change if I got zero events.

So I dont know if it is a bug in 6.6.3 and 7.0 or if something wrong with my search.

Tags (1)

Re: Cluster Map doesnt show correct events


@michel_wolf, I think this is a known behavior which I had noticed even in Splunk 6.4. So this might have existed for a long time now. If you have valid Splunk Entitlement, you can open a BUG request for this (http://www.splunk.com/r/bugs).

Until it is resolved you can try the following alternative to use depends and rejectsattributes in Simple XML dashboard to hide map and show a custom message (using HTML Panel in Simple XML) instead.

alt text

Using <done> search event handler, default job token $job.resultCount$ is accessed to confirm whether the search resturened result or not. If no results returned then token $tokPlotDataOnMap$ is unset else it is set to true.

When $tokPlotDataOnMap$ is set the map is displayed using depends attribute and when it is unset, the Map is hidden and HTML Panel is displayed using rejects attribute.

  <label>Cluster Map Results and then No Results through filter</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime">
      <map depends="$tokPlotDataOnMap$">
          <query>source="access.log" host="NiketNilay-PC" sourcetype="access_combined_wcookie"
| stats count by clientip method
| iplocation clientip
| geostats latfield=lat longfield=lon sum(count) by method</query>
            <condition match="$job.resultCount$==0">
              <unset token="tokPlotDataOnMap"></unset>              
              <set token="tokPlotDataOnMap">true</set>
        <option name="drilldown">none</option>
        <option name="mapping.choroplethLayer.colorBins">5</option>
        <option name="mapping.choroplethLayer.colorMode">auto</option>
        <option name="mapping.choroplethLayer.maximumColor">0xDB5800</option>
        <option name="mapping.choroplethLayer.minimumColor">0x2F25BA</option>
        <option name="mapping.choroplethLayer.neutralPoint">0</option>
        <option name="mapping.choroplethLayer.shapeOpacity">0.75</option>
        <option name="mapping.choroplethLayer.showBorder">1</option>
        <option name="mapping.data.maxClusters">100</option>
        <option name="mapping.legend.placement">bottomright</option>
        <option name="mapping.map.center">(0,0)</option>
        <option name="mapping.map.panning">1</option>
        <option name="mapping.map.scrollZoom">0</option>
        <option name="mapping.map.zoom">2</option>
        <option name="mapping.markerLayer.markerMaxSize">50</option>
        <option name="mapping.markerLayer.markerMinSize">10</option>
        <option name="mapping.markerLayer.markerOpacity">0.8</option>
        <option name="mapping.showTiles">1</option>
        <option name="mapping.tileLayer.maxZoom">7</option>
        <option name="mapping.tileLayer.minZoom">0</option>
        <option name="mapping.tileLayer.tileOpacity">1</option>
        <option name="mapping.type">marker</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      <html rejects="$tokPlotDataOnMap$">
        <div style="font-weight:bold;text-align:center;color:red;">No Results Found to plot on Map. Please select a wider date range</div>

PS: Above dashboard code is based on Splunk Tutorial Data for Buttercup Games, which is refreshed weekly at the following link: http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/Systemrequirements#Download_the_tu...
Please following instructions to load the data first. I have loaded the same to Splunk's main (default) index.

| eval message="Happy Splunking!!!"

View solution in original post

0 Karma

Re: Cluster Map doesnt show correct events

Path Finder

could you please tell me How to resolve this issue?is there any patch available for the same

0 Karma