I have a problem with a query, that I'm trying to use on a dashboard. It works weird: sometimes it returns expected results, sometimes does not and shows instead "No result found". To understand what could be a problem I opened the query in Search window. Time window is "7 days", mode "Smart Mode", query is
File was moved to | timechart count span=1d
and it returns "No result found" message. see Image_2 attached.
I have made 3 observations with the query:
I spend hours searching an answer in Knowledge base, Documentation, googling, but with no success. What I'm doing wrong?
Finally i found out by spending lot of time.
Please add this line in savedsearches.conf
display.page.search.mode = verbose
you can also refer this document for more details
Thank you and sorry for late reply. I tried your idea and it does not help.
- I copied savedsearches.conf from C:\Program Files\Splunk\etc\system\default to C:\Program Files\Splunk\etc\system\local
- then removed from there everything except one line
display.page.search.mode = verbose and saved
- reloaded dashboard - and still no data on dashboard (link text
If I click "open in Search" it opens query in Fast Mode. Does is mean that the dashboard still work in Fast mode?
P.s. 5 minutes later data appeared again link text. I do not understand why it appeared and disappeared without any reason. I have 4 more charts in the same dashboard and never had any problem with them. Very strange issue.
so it means its working
no really, it is not stable. Now I can see again 'No result found' instead of the chart.
I click "open in Search" it opens query in Fast Mode
does it mean that I made something wrong with savedsearches.conf ?
did you tried to insert in your main search the index where you're searching?
it's always a good idea to have quicker searches!
index=my_index File was moved to | timechart count span=1d
Thank you. Yes, I tried to add index="main", so I had the query
index="main" File was moved to | timechart count span=1d
I also tried to add | fields * before timechart transformation with no success.
Usually dashboard's searches are executed in smart mode.
You can force the mode in dashboard but it's slower than usual!
did you tried to use quotes in search?
index="main" "File was moved to" | timechart span=1d count
cusello, yes, I tried to use quotes, with no success, so I simplified query as much as possible before I desperately decided to post the question here.
I tried to reboot splunk, and I received expected result on dashboard once, and after some minutes (i guess during next refresh) it again started showing "No result found" message. So I'm guessing that problem could be somewhere in cache mechanism or something like this.
P.S. When I was writing this message, chart on dashboard appeared again, without any user interaction or changes (we have it on wall screen).
logloganathan, thank you for your help. I tried to make it in following steps
- clicked "open in search"
- changed to verbose mode
- clicked "save as" and selected "dashboard panel"
- selected existent dashboard
- refreshed my dashboard and new panel appeared, but still there is no data
- clicked "open in search" for the new panel and it opened again in "Fast mode"
it proves that dashboard does not remember selected mode.