Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Missing Data in the Dashboard Tile

jaibalaraman
Path Finder
‎08-30-2024 01:46 AM

Hi All 

We have created a dashboard to monitor CCTV and it was working fine. However suddenly data stopped populating.  We have done any change. 

My finding 

1 - If i select last 30 days i can see the dashboard working fine 

2 - If i select time range last 20 days i can the dashboard is not working

3 - Started trouble shooting the issue and found the below 

Spl query

The below works fine when the time range is last 30 days 

working - index=test 1sourcetype="stream" NOT upsModel=*1234*
|rename Device AS "UPS "
|rename Model AS "UPS Model"
|rename MinRemaining AS "Runtime Remaining"
|replace 3 WITH Utility, 4 WITH Bypass IN "Input Source"
|sort "Runtime Remaining"
|dedup "UPS Name"
|table "UPS Name" "UPS Model" "Runtime Remaining" "Source" "Location"

Note- The same spl query dont work when time range is last 20 days. 

Trouble shooting - Splunk receiving data till date however i have notice few thing, 

When i select last 30 days i can see the by fields in the search 

UPS Name , UPS Model , Runtime Remaining , Source

When i select last 20 days the below fields are missing not sure why? 

Missing fields - UPS Name , UPS Model , Runtime Remaining , Source . So the below SPL query is not showing any data 

index=test 1sourcetype="stream" NOT upsModel=*1234*
|rename Device AS "UPS "
|rename Model AS "UPS Model"
|rename MinRemaining AS "Runtime Remaining"
|replace 3 WITH Utility, 4 WITH Bypass IN "Input Source"
|sort "Runtime Remaining"
|dedup "UPS Name" - 
|table "UPS Name" "UPS Model" "Runtime Remaining" "Source" "Location"

The highlighted part not pulling any data due to missing field.

 

Thanks 

Labels (2)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-30-2024 02:18 AM

Check your index to see when data was last entered

| metadata type=sourcetypes index=test
| fieldformat recentTime=strftime(recentTime,"%F %T")
| fieldformat firstTime=strftime(firstTime,"%F %T")
| fieldformat lastTime=strftime(lastTime,"%F %T")
0 Karma
Reply

jaibalaraman
Path Finder
‎08-30-2024 02:32 AM

jaibalaraman_0-1725010343512.png

 

0 Karma
Reply

jaibalaraman
Path Finder
‎08-30-2024 02:42 AM

jaibalaraman_0-1725010939922.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-30-2024 03:19 AM

Try this over last 30 days

index=*
| timechart span=1d count by sourcetype
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-30-2024 02:36 AM

What do you get if you set the timeframe for that search to be last 30 days?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...