I have the following Splunk query that I have used in a dashboard:
[search source="Stg" earliest=-15d cs_uri_token_2="0012c" cs_uri_filepath="web/mapservicecontroller*"| stats avg(time_taken) by cs_uri_filepath | sort - avg(time_taken) | head 10 | fields + cs_uri_filepath] | timechart span=1d avg(time_taken) by cs_uri_filepath
Above query returns the data when I run it in the search view. But when used in a dashboard, for some reason, Splunk seems to be appending an extra keyword 'Search' to the query. The query looks like:
search [search source="Stg" earliest=-15d cs_uri_token_2="0012c" cs_uri_filepath="web/mapservicecontroller*"| stats avg(time_taken) by cs_uri_filepath | sort - avg(time_taken) | head 10 | fields + cs_uri_filepath] | timechart span=1d avg(time_taken) by cs_uri_filepath
The above query does not return any data and hence the dashboard does not display the graph.
Also, I do not face this issue when I have my dashboard designed for single panel that uses the query that I have mentioned in the beginning of the post. The moment I add 2-3 panels(even if all the panels use same query) in my dashboard, the query gets modified to add extra 'Search' keyword.
Has anyone faced this issue before and knows how to get rid of it?
... View more