Solved: Re: Why do my results appear and then disappear on...

BlueSocket · ‎03-18-2016

Dear All,

I have a geostats search that is providing a mapped view of events over a single area. It is like this:

index="event_index" Lost=true AND NOT value = true | geostats latfield=latitude longfield=longitude binspanlong=1 binspanlat=1 count by loss

At first, the map shows up the results, but after about 5 minutes, if I come back to the map, the results disappear.

Is this because the results in the search job are removed after a certain amount of time or is it being there has been a timeout or what?

The number of events is about 700000, by the way.

Kind regards,

BlueSocket

BlueSocket · ‎04-25-2016

The answer to this was the MaxClusters value was set to 100 and not a value that was valid, which, for the visualisation selected was over 100,000.

I got this answer from Support and I hope that this helps someone else as well.

View solution in original post

BlueSocket · ‎04-25-2016

The answer to this was the MaxClusters value was set to 100 and not a value that was valid, which, for the visualisation selected was over 100,000.

I got this answer from Support and I hope that this helps someone else as well.

securediversity · ‎11-16-2018

awesome 🙂 many thanks for reporting this back - saves my day 😉

BlueSocket · ‎04-11-2016

Just made another observation. this query WORKS and the map stays showing the data:

index="event_index" Lost=true AND NOT value = true | geostats latfield=latitude longfield=longitude binspanlong=1 binspanlat=1 count

But this one does NOT work:

index="event_index" Lost=true AND NOT value = true | geostats latfield=latitude longfield=longitude binspanlong=1 binspanlat=1 count by loss

The difference is that the second one includes a "by loss" clause.

Why does this break the report?

Splunk Support are silent on this, too.

BlueSocket · ‎03-18-2016

Hmmm, I thought that it might be that the job was expiring, but I just watched it constantly and noticed that the data stays on the screen while the dark blue line at the top of the window is progressing from one side to the other, but then disappears when it gets to the end.

What is going on?

naidusadanala · ‎03-18-2016

When splunk parses events based on the searches It progress It disappears once the search complete...

BlueSocket · ‎03-18-2016

Yes. That is what I am seeing. I don't think that this is normal and expected, is it?

woodcock · ‎03-20-2016

Yes, Splunk is designed to show partial results all along the way and adjust as it gets further along. Usually this is correctly progressive but sometimes it does backtrack depending on things later in the pipeline of the search.

BlueSocket · ‎03-21-2016

...but why do ALL of the results disappear from the map?

Since trying to debug this, however, I now have a little more information.

I created another map and that has fewer rows in the geostats results. Interestingly, the results on this map do NOT disappear.

Hmmm.

slr · ‎03-30-2016

I had some similar results once. Is possible that you have NULL data on your fields?

Why do my results appear and then disappear on a map?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)