Splunk Search

Real-time and charts not working in a dashboard

Path Finder

Hello,

I am having trouble to make realt-time charts work uin my current dashboard. I am working with advanced XML and sideview utils and am creating a quite complex search that not only gives me the rsults I want to chart but also calculates me the column assignments that are needed for my HiddenChartFormatter...

this is my search:
system=cics dc="RZ2" | lookup cics_trans_id_lookup.csv cics_trans_id as tran OUTPUT cics_trans_area_name | timechart minspan=5m nullstr="Other" limit=0 dc(cics_trans_area_name) sum(count) sum(cputot) by cics_trans_area_name | foreach dc(cics_trans_area_name)* [eval <>=1] | addtotals dc(cics_trans_area_name)* fieldname=n | eval numbers=mvrange(0,n+1,1) | eval leftColumns=mvjoin(numbers, ",") | eval label="CPU Time [s]" | eval rightColumns=if(label="None","","0,".tostring(n+5)) | eval rightAxisTitle=if(label="None","",",@axisTitleY2") | eval rightAxisLabel=if(label="None","",",@axisLabelsY2") | fields _time, sum(count), sum(cputot), leftColumns, rightColumns, rightAxisTitle, rightAxisLabel | addtotals sum(cputot):* | fields - sum(cputot):*

this results in a table of the following format (each line represents a column):
_time

sum(count): ELAR

sum(count): ELARTEST

sum(count): Mittelfluss
sum(count): NZV
sum(count): Other

sum(count): SYSTEM

leftColumns
rightColumns

rightAxisTitle

rightAxisLabel

Total

when I set an upstream TimeRangePicker to some real-time interval the search works fine if I fill a Pager/SimpleResultsTable with the search results, it also auto-updtaes, just as it should.

However, if I try to populate a chart (JSChart or FlashChart) with the results, they ONLY work for normal times, but not real-time intervals. I even removed my HiddenChartFormatter for debugging purposes, still, the charts do not update, sometimes they disappear but no real-time data gets ever shown, even if I wait for several minutes...

If I fill the above search into Splunk's search app, it works fine, both table and charting, even for real-time periods...

What am I doing wrong here?

0 Karma

Path Finder

Never mind, a ResultsValueSetter module that I used between my real-time search and the HiddenChartFormatter was the culprit. Getting rid of it, fixed everything 😄

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!