Splunk Search

Timechart returns no data in smart mode, but does return data in Verbose mode

sergevic
Explorer

I have a problem with a query, that I'm trying to use on a dashboard. It works weird: sometimes it returns expected results, sometimes does not and shows instead "No result found". To understand what could be a problem I opened the query in Search window. Time window is "7 days", mode "Smart Mode", query is

File was moved to | timechart count span=1d

and it returns "No result found" message. see Image_2 attached.

I have made 3 observations with the query:

  1. If I remove transformation "timechart", the query returns more than 5 thousands events. So data is definitely there.
  2. If I revert query back to original (as above) - it returns "No result found" again. But if I change to Verbose mode it returns expected results. It is something, but there is no way to ask dashboard execute the query in Verbose mode, right?
  3. I switched back to Smart mode - it returns "No result found" again and when I changed time window from "7 days" to "7 days window" - the query returns almost correct result. (see image_1) It is almost correct, as first value is wrong, because time windows slides, so part of first day is not included into search.

I spend hours searching an answer in Knowledge base, Documentation, googling, but with no success. What I'm doing wrong?

logloganathan
Motivator

Finally i found out by spending lot of time.

Please add this line in savedsearches.conf

display.page.search.mode = verbose

you can also refer this document for more details

http://docs.splunk.com/Documentation/Splunk/6.1/Admin/savedsearchesconf

sergevic
Explorer

Thank you and sorry for late reply. I tried your idea and it does not help.
- I copied savedsearches.conf from C:\Program Files\Splunk\etc\system\default to C:\Program Files\Splunk\etc\system\local
- then removed from there everything except one line
display.page.search.mode = verbose and saved
-restarted splunk
- reloaded dashboard - and still no data on dashboard (link text

0 Karma

logloganathan
Motivator

did you checked the mode? it must be verbose

sergevic
Explorer

If I click "open in Search" it opens query in Fast Mode. Does is mean that the dashboard still work in Fast mode?

P.s. 5 minutes later data appeared again link text. I do not understand why it appeared and disappeared without any reason. I have 4 more charts in the same dashboard and never had any problem with them. Very strange issue.

0 Karma

logloganathan
Motivator

dashboard will take time that the limitation i am also facing.

this is because it running data for 7 days.

so it means its working

0 Karma

sergevic
Explorer

so it means its working
no really, it is not stable. Now I can see again 'No result found' instead of the chart.

regarding this

I click "open in Search" it opens query in Fast Mode
does it mean that I made something wrong with savedsearches.conf ?

0 Karma

logloganathan
Motivator

i don't know where you did mistake.
Please recheck from your end.
i have provided the answer from my end.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi sergevic,
did you tried to insert in your main search the index where you're searching?
it's always a good idea to have quicker searches!

index=my_index File was moved to 
| timechart count span=1d

Bye.
Giuseppe

0 Karma

sergevic
Explorer

Thank you. Yes, I tried to add index="main", so I had the query

index="main" File was moved to  | timechart count span=1d

no success.
I also tried to add | fields * before timechart transformation with no success.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Usually dashboard's searches are executed in smart mode.
You can force the mode in dashboard but it's slower than usual!

did you tried to use quotes in search?

index="main" "File was moved to"  | timechart span=1d count 

Bye.
Giuseppe

0 Karma

sergevic
Explorer

cusello, yes, I tried to use quotes, with no success, so I simplified query as much as possible before I desperately decided to post the question here.
I tried to reboot splunk, and I received expected result on dashboard once, and after some minutes (i guess during next refresh) it again started showing "No result found" message. So I'm guessing that problem could be somewhere in cache mechanism or something like this.

P.S. When I was writing this message, chart on dashboard appeared again, without any user interaction or changes (we have it on wall screen).

0 Karma

logloganathan
Motivator

you can select verbose mode in the option and save as dashboard panel

sergevic
Explorer

I have just tried, but on the dashboard I still have "No result found" for the search. I have checked Source of the dashboard and there is nothing about Verbose mode.

0 Karma

sergevic
Explorer

logloganathan, thank you for your help. I tried to make it in following steps
- clicked "open in search"
- changed to verbose mode
- clicked "save as" and selected "dashboard panel"
- selected existent dashboard
- refreshed my dashboard and new panel appeared, but still there is no data
- clicked "open in search" for the new panel and it opened again in "Fast mode"
it proves that dashboard does not remember selected mode.

logloganathan
Motivator

let me check again from my end..

0 Karma

logloganathan
Motivator

click open in search then change to verbose mode
then click "save as" and select "dashboard"

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...