Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Missing Data in the Dashboard Tile

jaibalaraman
Path Finder
‎08-30-2024 01:46 AM

Hi All 

We have created a dashboard to monitor CCTV and it was working fine. However suddenly data stopped populating.  We have done any change. 

My finding 

1 - If i select last 30 days i can see the dashboard working fine 

2 - If i select time range last 20 days i can the dashboard is not working

3 - Started trouble shooting the issue and found the below 

Spl query

The below works fine when the time range is last 30 days 

working - index=test 1sourcetype="stream" NOT upsModel=*1234*
|rename Device AS "UPS "
|rename Model AS "UPS Model"
|rename MinRemaining AS "Runtime Remaining"
|replace 3 WITH Utility, 4 WITH Bypass IN "Input Source"
|sort "Runtime Remaining"
|dedup "UPS Name"
|table "UPS Name" "UPS Model" "Runtime Remaining" "Source" "Location"

Note- The same spl query dont work when time range is last 20 days. 

Trouble shooting - Splunk receiving data till date however i have notice few thing, 

When i select last 30 days i can see the by fields in the search 

UPS Name , UPS Model , Runtime Remaining , Source

When i select last 20 days the below fields are missing not sure why? 

Missing fields - UPS Name , UPS Model , Runtime Remaining , Source . So the below SPL query is not showing any data 

index=test 1sourcetype="stream" NOT upsModel=*1234*
|rename Device AS "UPS "
|rename Model AS "UPS Model"
|rename MinRemaining AS "Runtime Remaining"
|replace 3 WITH Utility, 4 WITH Bypass IN "Input Source"
|sort "Runtime Remaining"
|dedup "UPS Name" - 
|table "UPS Name" "UPS Model" "Runtime Remaining" "Source" "Location"

The highlighted part not pulling any data due to missing field.

 

Thanks 

Labels (2)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-30-2024 02:18 AM

Check your index to see when data was last entered

| metadata type=sourcetypes index=test
| fieldformat recentTime=strftime(recentTime,"%F %T")
| fieldformat firstTime=strftime(firstTime,"%F %T")
| fieldformat lastTime=strftime(lastTime,"%F %T")
0 Karma
Reply

jaibalaraman
Path Finder
‎08-30-2024 02:32 AM

jaibalaraman_0-1725010343512.png

 

0 Karma
Reply

jaibalaraman
Path Finder
‎08-30-2024 02:42 AM

jaibalaraman_0-1725010939922.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-30-2024 03:19 AM

Try this over last 30 days

index=*
| timechart span=1d count by sourcetype
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-30-2024 02:36 AM

What do you get if you set the timeframe for that search to be last 30 days?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...