- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- fields - values search command breaks dashboard wh...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm running Splunk 6.4.0 with two customers.
When using the fields - values search command, the dashboard is not showing any data after I have clicked on Edit --> Panels. The spaces are automatically removed from fields - values --> fields-values resulting in the dashboard not showing any data any more (I can't attach a screenshot due to missing karma points). This is really annoying.
Maybe external links are allowed: http://imgur.com/a/4tGWt
I'm using the following search string:
index=otcs eventtype="SummaryTiming" | stats count values(FunctionAction), avg(ExecutionTime) by ContextUserName| fields - values(FunctionAction) | $user_avgexecution_sort$ | Rename ContextUserName as "Requesting User" | Rename count as "Number of Requests" | Rename avg(ExecutionTime) as "Average Execution Time"
Is this a bug of Splunk 6.4.x?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No bug, but you are doing a few things that violate Splunk syntax and make your search run more slowly. Try this
index=otcs eventtype="SummaryTiming"
| stats count avg(ExecutionTime) as avgTime by ContextUserName
| $user_avgexecution_sort$
| Rename ContextUserName as "Requesting User"
| Rename count as "Number of Requests" | Rename avgTime as "Average Execution Time"
Sometimes Splunk does not like field names that have punctuation in them, some commands don't care. Therefore, I always use the "as" in stats to give those fields better (and easier to read) names. I created a field called avgTime in line 2 and used it in the final line.
Also, you created "values(FunctionAction)" in the stats command and then you never used it; you simply removed that result immediately afterward. I solved the problem by simply removing the initial calculation in the stats command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, it worked!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No bug, but you are doing a few things that violate Splunk syntax and make your search run more slowly. Try this
index=otcs eventtype="SummaryTiming"
| stats count avg(ExecutionTime) as avgTime by ContextUserName
| $user_avgexecution_sort$
| Rename ContextUserName as "Requesting User"
| Rename count as "Number of Requests" | Rename avgTime as "Average Execution Time"
Sometimes Splunk does not like field names that have punctuation in them, some commands don't care. Therefore, I always use the "as" in stats to give those fields better (and easier to read) names. I created a field called avgTime in line 2 and used it in the final line.
Also, you created "values(FunctionAction)" in the stats command and then you never used it; you simply removed that result immediately afterward. I solved the problem by simply removing the initial calculation in the stats command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also if you are going to use the above query in a dashboard make sure you add a preceeding $ and trailing $ to the user_avgexecution_sort
example
$$user_avgexecution_sort$$
Developer Spotlight with Paul Stout
State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...
Data-Driven Success: Splunk & Financial Services
