Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

View panel does not display all results.

maires
New Member
‎04-06-2011 03:42 PM

For the life of me I cannot figure out why a panel that is doing an inline search displayed as a chart does not show all (or any for that matter) of the results that come up when I click view results. I specifically set the time for -90days to see a 3 month interval. The bar chart or column chart I think it is will show several days at the most with no data... and then when i click view results I see it pulled up in search mode with several results that just were not graphed.

Does it matter that my free trial license is over limit on indexing? I know we dont do 500mb a day of data.. but this initial indexing has me 250% over the limit. I have asked about purchasing a license but it is not something I am going to proceed with unless I can figure out the cause of this issue.

~Matt

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎04-06-2011 04:50 PM

Can you paste in the search that you're using? Not all search results are chartable, so if it's literally displaying nothing in the chart and something when you click 'view results', that's my guess. If you paste in the search or a close analogue thereof I'll be able to tell you what the problem is.

And no in your case it shouldn't matter that you went over your your license limit recently.

UPDATE: your search Authentication Failure will indeed match events, but the charting stuff cannot do anything with raw events; you need to use a reporting command in your search.

If you change the search to be

Authentication Failure | timechart count

then it will show the frequency of those events over time.

Likewise if you had a field extracted called 'username', then you could do this:

Authentication Failure | timechart count by username

which would break the same graph down by username, or

Authentication Failure | top 50 username

which would show the top 50 usernames with authentication failures overall.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎04-06-2011 04:50 PM

Can you paste in the search that you're using? Not all search results are chartable, so if it's literally displaying nothing in the chart and something when you click 'view results', that's my guess. If you paste in the search or a close analogue thereof I'll be able to tell you what the problem is.

And no in your case it shouldn't matter that you went over your your license limit recently.

UPDATE: your search Authentication Failure will indeed match events, but the charting stuff cannot do anything with raw events; you need to use a reporting command in your search.

If you change the search to be

Authentication Failure | timechart count

then it will show the frequency of those events over time.

Likewise if you had a field extracted called 'username', then you could do this:

Authentication Failure | timechart count by username

which would break the same graph down by username, or

Authentication Failure | top 50 username

which would show the top 50 usernames with authentication failures overall.

0 Karma
Reply
Solved! Jump to solution

maires
New Member
‎04-11-2011 12:07 PM

Nick! Your my hero! So the charts that show up when you perform a regular search... have built in reporting language thats not used when you build a dashboard... Thank you thank you thank you!

0 Karma
Reply
Solved! Jump to solution

maires
New Member
‎04-08-2011 01:30 PM

thats the xml from the dashboard i am using... only thing I have done on my own is add the refresh in really. I just want it to continually display any new authentication errors so that I can react to them in a reasonable amount of time.

0 Karma
Reply
Solved! Jump to solution

maires
New Member
‎04-08-2011 01:29 PM

<?xml version='1.0' encoding='utf-8'?>




Authentication Failure
Auth Failures
all


spamhaus
Spamhaus


all


0 Karma
Reply
Solved! Jump to solution

maires
New Member
‎04-08-2011 01:25 PM

Currently I am running an inline search... before i had a saved search and I was concerned that that was the problem

When I click edit dashboard I can then go to panel layout and click edit panel...

Doing an inline search string for Authentication Failure no quotes or anything just those two words...

I had earliest time set to some nonsense but just taking that out it looks like the graph goes back to March 13th now... (not showing any data but at least the date range is somewhat better. When I click on show results I have Authentication Failures showing up in my logs from yesterday.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...