Splunk Search

The value changes between in search result and dashboard

appleman
Contributor

Hello,

I created this search, and the result is 37. However, when I put it on dashboard, the result turns out to be 2916 as screenshot says. I want to make change the result to be 37 on dashboard. How do I do that?

source=A id=* [| stats count | addinfo | eval earliest=relative_time(info_min_time,"-7d@d")

| eval latest=relative_time(info_min_time, "-6d@d")
| return earliest latest ]
| stats dc(name) as name
| append [search source=A id=*
| stats dc(name) as name ]
| stats range(name)


以下のサーチを実行した際には結果として37が返ってくるのですが、ダッシュボードに載せた際、結果が2916として表示されるのはなぜでしょうか。併せて、37を表示させる方法も教えて頂けると幸いです。

alt text

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Two questions:
1. What is the time range selected when you're executing search in search app? I see for search query after append there is not earliest or latest defined.
2. Are you using any Timerangepicker in your dashboard?

It may have happened that you are not using any timerange picker in dashboard so by default it's taking 'All times' thus returning more rows.

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

I have converted mine comment as answer so that you can close the question.

0 Karma

appleman
Contributor

In search app, I used custom time range, but I didn't use time range picker in my dashboard. Now I see why different results came out. Thank you.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Two questions:
1. What is the time range selected when you're executing search in search app? I see for search query after append there is not earliest or latest defined.
2. Are you using any Timerangepicker in your dashboard?

It may have happened that you are not using any timerange picker in dashboard so by default it's taking 'All times' thus returning more rows.

Get Updates on the Splunk Community!

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...

Want to Reduce Costs, Mitigate Risk, Improve Performance, or Increase Efficiencies? ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...