Hi,
I have created a single value and statistical table panel using the below base search ,
base search :
<search id="search1">
<query>index=s (sourcetype=S_Crd OR sourcetype=S_Fire) | fields *</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
In search:
<single>
<search base="search1">
<query>
| rex field=_raw "Fire=(?<FireEye>.*?),"
| rex mode=sed field=Fire "s/\\\"//g"
| stats values(*) as * values(sourcetype) as sourcetype by sysid
| fillnull value=""
|evalOS=case(like(OS,"%Windows%"),"Windows",like(OS,"%Linux%"),"Linux",like(OS,"%Missing%"),"Others",like(OS,"%Solaris%"),"Solaris",like(OS,"%AIX%"),"AIX",1=1,"Others")
|search $os$
|stats count</query>
</search>
sometime I am getting correct values but suddenly it displays 0 in all panels including this.After giving ctrl + F5 ,the issue gets resolved .May i know the reason for this and how to resolve this in dashboard.
Hi
are you sure that your base search didn't exceed splunk limit 500k events? You should avoid base searches without transforming commands (like stats, chart, time chart etc.).
Here is more about it
r. Ismo