Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Missing Data in the Dashboard Tile

jaibalaraman
Path Finder
‎08-30-2024 01:46 AM

Hi All 

We have created a dashboard to monitor CCTV and it was working fine. However suddenly data stopped populating.  We have done any change. 

My finding 

1 - If i select last 30 days i can see the dashboard working fine 

2 - If i select time range last 20 days i can the dashboard is not working

3 - Started trouble shooting the issue and found the below 

Spl query

The below works fine when the time range is last 30 days 

working - index=test 1sourcetype="stream" NOT upsModel=*1234*
|rename Device AS "UPS "
|rename Model AS "UPS Model"
|rename MinRemaining AS "Runtime Remaining"
|replace 3 WITH Utility, 4 WITH Bypass IN "Input Source"
|sort "Runtime Remaining"
|dedup "UPS Name"
|table "UPS Name" "UPS Model" "Runtime Remaining" "Source" "Location"

Note- The same spl query dont work when time range is last 20 days. 

Trouble shooting - Splunk receiving data till date however i have notice few thing, 

When i select last 30 days i can see the by fields in the search 

UPS Name , UPS Model , Runtime Remaining , Source

When i select last 20 days the below fields are missing not sure why? 

Missing fields - UPS Name , UPS Model , Runtime Remaining , Source . So the below SPL query is not showing any data 

index=test 1sourcetype="stream" NOT upsModel=*1234*
|rename Device AS "UPS "
|rename Model AS "UPS Model"
|rename MinRemaining AS "Runtime Remaining"
|replace 3 WITH Utility, 4 WITH Bypass IN "Input Source"
|sort "Runtime Remaining"
|dedup "UPS Name" - 
|table "UPS Name" "UPS Model" "Runtime Remaining" "Source" "Location"

The highlighted part not pulling any data due to missing field.

 

Thanks 

Labels (2)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-30-2024 02:18 AM

Check your index to see when data was last entered

| metadata type=sourcetypes index=test
| fieldformat recentTime=strftime(recentTime,"%F %T")
| fieldformat firstTime=strftime(firstTime,"%F %T")
| fieldformat lastTime=strftime(lastTime,"%F %T")
0 Karma
Reply

jaibalaraman
Path Finder
‎08-30-2024 02:32 AM

jaibalaraman_0-1725010343512.png

 

0 Karma
Reply

jaibalaraman
Path Finder
‎08-30-2024 02:42 AM

jaibalaraman_0-1725010939922.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-30-2024 03:19 AM

Try this over last 30 days

index=*
| timechart span=1d count by sourcetype
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-30-2024 02:36 AM

What do you get if you set the timeframe for that search to be last 30 days?

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...