Splunk Search

Real-time and charts not working in a dashboard

Path Finder


I am having trouble to make realt-time charts work uin my current dashboard. I am working with advanced XML and sideview utils and am creating a quite complex search that not only gives me the rsults I want to chart but also calculates me the column assignments that are needed for my HiddenChartFormatter...

this is my search:
system=cics dc="RZ2" | lookup cics_trans_id_lookup.csv cics_trans_id as tran OUTPUT cics_trans_area_name | timechart minspan=5m nullstr="Other" limit=0 dc(cics_trans_area_name) sum(count) sum(cputot) by cics_trans_area_name | foreach dc(cics_trans_area_name)* [eval <>=1] | addtotals dc(cics_trans_area_name)* fieldname=n | eval numbers=mvrange(0,n+1,1) | eval leftColumns=mvjoin(numbers, ",") | eval label="CPU Time [s]" | eval rightColumns=if(label="None","","0,".tostring(n+5)) | eval rightAxisTitle=if(label="None","",",@axisTitleY2") | eval rightAxisLabel=if(label="None","",",@axisLabelsY2") | fields _time, sum(count), sum(cputot), leftColumns, rightColumns, rightAxisTitle, rightAxisLabel | addtotals sum(cputot):* | fields - sum(cputot):*

this results in a table of the following format (each line represents a column):

sum(count): ELAR

sum(count): ELARTEST

sum(count): Mittelfluss
sum(count): NZV
sum(count): Other

sum(count): SYSTEM





when I set an upstream TimeRangePicker to some real-time interval the search works fine if I fill a Pager/SimpleResultsTable with the search results, it also auto-updtaes, just as it should.

However, if I try to populate a chart (JSChart or FlashChart) with the results, they ONLY work for normal times, but not real-time intervals. I even removed my HiddenChartFormatter for debugging purposes, still, the charts do not update, sometimes they disappear but no real-time data gets ever shown, even if I wait for several minutes...

If I fill the above search into Splunk's search app, it works fine, both table and charting, even for real-time periods...

What am I doing wrong here?

Path Finder

Never mind, a ResultsValueSetter module that I used between my real-time search and the HiddenChartFormatter was the culprit. Getting rid of it, fixed everything 😄

