Splunk Search

Timechart returns no data in smart mode, but does return data in Verbose mode

Explorer

I have a problem with a query, that I'm trying to use on a dashboard. It works weird: sometimes it returns expected results, sometimes does not and shows instead "No result found". To understand what could be a problem I opened the query in Search window. Time window is "7 days", mode "Smart Mode", query is

File was moved to | timechart count span=1d

and it returns "No result found" message. see Image_2 attached.

I have made 3 observations with the query:

  1. If I remove transformation "timechart", the query returns more than 5 thousands events. So data is definitely there.
  2. If I revert query back to original (as above) - it returns "No result found" again. But if I change to Verbose mode it returns expected results. It is something, but there is no way to ask dashboard execute the query in Verbose mode, right?
  3. I switched back to Smart mode - it returns "No result found" again and when I changed time window from "7 days" to "7 days window" - the query returns almost correct result. (see image_1) It is almost correct, as first value is wrong, because time windows slides, so part of first day is not included into search.

I spend hours searching an answer in Knowledge base, Documentation, googling, but with no success. What I'm doing wrong?

Motivator

Finally i found out by spending lot of time.

Please add this line in savedsearches.conf

display.page.search.mode = verbose

you can also refer this document for more details

http://docs.splunk.com/Documentation/Splunk/6.1/Admin/savedsearchesconf

Explorer

Thank you and sorry for late reply. I tried your idea and it does not help.
- I copied savedsearches.conf from C:\Program Files\Splunk\etc\system\default to C:\Program Files\Splunk\etc\system\local
- then removed from there everything except one line
display.page.search.mode = verbose and saved
-restarted splunk
- reloaded dashboard - and still no data on dashboard (link text

0 Karma

Motivator

did you checked the mode? it must be verbose

Explorer

If I click "open in Search" it opens query in Fast Mode. Does is mean that the dashboard still work in Fast mode?

P.s. 5 minutes later data appeared again link text. I do not understand why it appeared and disappeared without any reason. I have 4 more charts in the same dashboard and never had any problem with them. Very strange issue.

0 Karma

Motivator

dashboard will take time that the limitation i am also facing.

this is because it running data for 7 days.

so it means its working

0 Karma

Explorer

so it means its working
no really, it is not stable. Now I can see again 'No result found' instead of the chart.

regarding this

I click "open in Search" it opens query in Fast Mode
does it mean that I made something wrong with savedsearches.conf ?

0 Karma

Motivator

i don't know where you did mistake.
Please recheck from your end.
i have provided the answer from my end.

0 Karma

Legend

Hi sergevic,
did you tried to insert in your main search the index where you're searching?
it's always a good idea to have quicker searches!

index=my_index File was moved to 
| timechart count span=1d

Bye.
Giuseppe

0 Karma

Explorer

Thank you. Yes, I tried to add index="main", so I had the query

index="main" File was moved to  | timechart count span=1d

no success.
I also tried to add | fields * before timechart transformation with no success.

0 Karma

Legend

Usually dashboard's searches are executed in smart mode.
You can force the mode in dashboard but it's slower than usual!

did you tried to use quotes in search?

index="main" "File was moved to"  | timechart span=1d count 

Bye.
Giuseppe

0 Karma

Explorer

cusello, yes, I tried to use quotes, with no success, so I simplified query as much as possible before I desperately decided to post the question here.
I tried to reboot splunk, and I received expected result on dashboard once, and after some minutes (i guess during next refresh) it again started showing "No result found" message. So I'm guessing that problem could be somewhere in cache mechanism or something like this.

P.S. When I was writing this message, chart on dashboard appeared again, without any user interaction or changes (we have it on wall screen).

0 Karma

Motivator

you can select verbose mode in the option and save as dashboard panel

Explorer

I have just tried, but on the dashboard I still have "No result found" for the search. I have checked Source of the dashboard and there is nothing about Verbose mode.

0 Karma

Explorer

logloganathan, thank you for your help. I tried to make it in following steps
- clicked "open in search"
- changed to verbose mode
- clicked "save as" and selected "dashboard panel"
- selected existent dashboard
- refreshed my dashboard and new panel appeared, but still there is no data
- clicked "open in search" for the new panel and it opened again in "Fast mode"
it proves that dashboard does not remember selected mode.

Motivator

let me check again from my end..

0 Karma

Motivator

click open in search then change to verbose mode
then click "save as" and select "dashboard"

0 Karma