Splunk Search
Highlighted

Why is my dashboard panel showing different values from the base report?

Explorer

Hi,

I wonder if someone can help me on something. I created a report which runs absolutely fine no matter when I run it. I added the report to a dashboard panel, but now some values are missing.

This is the search string:

index=risk sourcetype=feed_info 
| eval sys1_arrival_time=if(sys1_arrival_time=="NULL", "",sys1_arrival_time ) 
| eval sys2_end_time=if(sys2_end_time=="NULL", "",sys2_end_time ) 
| eval timenow=now() | eval nowstring=strftime(now(), "%Y-%m-%d") 
| eval sys1_exp_time_string=nowstring+" "+tostring(system1_expected_time) 
| eval sys1_exp_time_epoch=strptime(sys1_exp_time_string, "%Y-%m-%d %H:%M:%S") | eval sys1_arrival_time_epoch=strptime(sys1_arrival_time, "%Y-%m-%d %H:%M:%S") 
| eval sys1_status=case(timenow>sys1_exp_time_epoch AND isnull(sys1_arrival_time_epoch), "Late", timenowsys1_exp_time_epoch, "OK (Arrived Late)", sys1_arrival_time_epoch<=sys1_exp_time_epoch, "OK") | eval sys2_exp_time_string=nowstring+" "+tostring(system2_expected_time) 
| eval sys2_exp_time_epoch=strptime(sys2_exp_time_string, "%Y-%m-%d %H:%M:%S") | eval sys2_end_time_epoch=strptime(sys2_end_time, "%Y-%m-%d %H:%M:%S") 
| eval sys2_status=case(timenow>sys2_exp_time_epoch AND isnull(sys2_end_time_epoch), "Late", timenowsys2_exp_time_epoch, "OK (Finished Late)", sys2_end_time_epoch<=sys2_exp_time_epoch, "OK") 
| table value_date,feedname, sys1_exp_time_string,sys1_arrival_time, sys1_status, sys2_exp_time_string,sys2_end_time, sys2_status 
| rename sys1_exp_time_string AS sys1_expected_time, sys2_exp_time_string as "sys2_expected_time"  
| dedup 1 feedname

The different values are the sys1status and sys2status. Curiously these two are calculated fields, based on time. I also noticed that the issue happens after 6pm - during the day it works fine.

Faulty Panel: http://s000.tinyupload.com/?file_id=06140936697604993623
Working Report: http://s000.tinyupload.com/?file_id=76794376457864993058

Both screenshots were taken at the same time.

Thanks!

0 Karma
Highlighted

Re: Why is my dashboard panel showing different values from the base report?

Explorer

Hmmmm... I also noticed that the number of events are less in the dashboard and that the search runs in fast mode. Is there a way to force verbose mode?

0 Karma
Highlighted

Re: Why is my dashboard panel showing different values from the base report?

Builder

It's probably truncating your results in the dashboard. If you adjust your time span more in your timetable or what have you... it will look even on the display.

I'm sure there's a way to modify slunk truncation rules. Or at least a better work arounds

0 Karma
Highlighted

Re: Why is my dashboard panel showing different values from the base report?

Explorer

Yes, it is truncating results, probably because it's running a fast (instead of a verbose) search. Just don't know how to force a verbose search on dashboard panels...

0 Karma