I have a problem with a query, that I'm trying to use on a dashboard. It works weird: sometimes it returns expected results, sometimes does not and shows instead "No result found". To understand what could be a problem I opened the query in Search window. Time window is "7 days", mode "Smart Mode", query is
File was moved to | timechart count span=1d
and it returns "No result found" message. see Image_2 attached.
I have made 3 observations with the query:
I spend hours searching an answer in Knowledge base, Documentation, googling, but with no success. What I'm doing wrong?
Finally i found out by spending lot of time.
Please add this line in savedsearches.conf
display.page.search.mode = verbose
you can also refer this document for more details
http://docs.splunk.com/Documentation/Splunk/6.1/Admin/savedsearchesconf
Thank you and sorry for late reply. I tried your idea and it does not help.
- I copied savedsearches.conf from C:\Program Files\Splunk\etc\system\default to C:\Program Files\Splunk\etc\system\local
- then removed from there everything except one line
display.page.search.mode = verbose and saved
-restarted splunk
- reloaded dashboard - and still no data on dashboard (link text
did you checked the mode? it must be verbose
If I click "open in Search" it opens query in Fast Mode. Does is mean that the dashboard still work in Fast mode?
P.s. 5 minutes later data appeared again link text. I do not understand why it appeared and disappeared without any reason. I have 4 more charts in the same dashboard and never had any problem with them. Very strange issue.
dashboard will take time that the limitation i am also facing.
this is because it running data for 7 days.
so it means its working
so it means its working
no really, it is not stable. Now I can see again 'No result found' instead of the chart.
regarding this
I click "open in Search" it opens query in Fast Mode
does it mean that I made something wrong with savedsearches.conf ?
i don't know where you did mistake.
Please recheck from your end.
i have provided the answer from my end.
Hi sergevic,
did you tried to insert in your main search the index where you're searching?
it's always a good idea to have quicker searches!
index=my_index File was moved to
| timechart count span=1d
Bye.
Giuseppe
Thank you. Yes, I tried to add index="main", so I had the query
index="main" File was moved to | timechart count span=1d
no success.
I also tried to add | fields * before timechart transformation with no success.
Usually dashboard's searches are executed in smart mode.
You can force the mode in dashboard but it's slower than usual!
did you tried to use quotes in search?
index="main" "File was moved to" | timechart span=1d count
Bye.
Giuseppe
cusello, yes, I tried to use quotes, with no success, so I simplified query as much as possible before I desperately decided to post the question here.
I tried to reboot splunk, and I received expected result on dashboard once, and after some minutes (i guess during next refresh) it again started showing "No result found" message. So I'm guessing that problem could be somewhere in cache mechanism or something like this.
P.S. When I was writing this message, chart on dashboard appeared again, without any user interaction or changes (we have it on wall screen).
you can select verbose mode in the option and save as dashboard panel
I have just tried, but on the dashboard I still have "No result found" for the search. I have checked Source of the dashboard and there is nothing about Verbose mode.
logloganathan, thank you for your help. I tried to make it in following steps
- clicked "open in search"
- changed to verbose mode
- clicked "save as" and selected "dashboard panel"
- selected existent dashboard
- refreshed my dashboard and new panel appeared, but still there is no data
- clicked "open in search" for the new panel and it opened again in "Fast mode"
it proves that dashboard does not remember selected mode.
let me check again from my end..
click open in search then change to verbose mode
then click "save as" and select "dashboard"