Splunk Search

Why do my results appear and then disappear on a map?

BlueSocket
Communicator

Dear All,

I have a geostats search that is providing a mapped view of events over a single area. It is like this:

index="event_index" Lost=true AND NOT value = true | geostats latfield=latitude longfield=longitude binspanlong=1 binspanlat=1 count by loss

At first, the map shows up the results, but after about 5 minutes, if I come back to the map, the results disappear.

Is this because the results in the search job are removed after a certain amount of time or is it being there has been a timeout or what?

The number of events is about 700000, by the way.

Kind regards,

BlueSocket

1 Solution

BlueSocket
Communicator

The answer to this was the MaxClusters value was set to 100 and not a value that was valid, which, for the visualisation selected was over 100,000.

I got this answer from Support and I hope that this helps someone else as well.

View solution in original post

BlueSocket
Communicator

The answer to this was the MaxClusters value was set to 100 and not a value that was valid, which, for the visualisation selected was over 100,000.

I got this answer from Support and I hope that this helps someone else as well.

securediversity
Explorer

awesome 🙂 many thanks for reporting this back - saves my day 😉

0 Karma

BlueSocket
Communicator

Just made another observation. this query WORKS and the map stays showing the data:

index="event_index" Lost=true AND NOT value = true | geostats latfield=latitude longfield=longitude binspanlong=1 binspanlat=1 count

But this one does NOT work:

index="event_index" Lost=true AND NOT value = true | geostats latfield=latitude longfield=longitude binspanlong=1 binspanlat=1 count by loss

The difference is that the second one includes a "by loss" clause.

Why does this break the report?

Splunk Support are silent on this, too.

0 Karma

BlueSocket
Communicator

Hmmm, I thought that it might be that the job was expiring, but I just watched it constantly and noticed that the data stays on the screen while the dark blue line at the top of the window is progressing from one side to the other, but then disappears when it gets to the end.

What is going on?

0 Karma

naidusadanala
Communicator

When splunk parses events based on the searches It progress It disappears once the search complete...

0 Karma

BlueSocket
Communicator

Yes. That is what I am seeing. I don't think that this is normal and expected, is it?

0 Karma

woodcock
Esteemed Legend

Yes, Splunk is designed to show partial results all along the way and adjust as it gets further along. Usually this is correctly progressive but sometimes it does backtrack depending on things later in the pipeline of the search.

0 Karma

BlueSocket
Communicator

...but why do ALL of the results disappear from the map?

Since trying to debug this, however, I now have a little more information.

I created another map and that has fewer rows in the geostats results. Interestingly, the results on this map do NOT disappear.

Hmmm.

0 Karma

slr
Communicator

I had some similar results once. Is possible that you have NULL data on your fields?

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...