Re: Panel(single value,table) values are changing ...

dtccsundar · ‎01-03-2022

Hi,

I have created a single value and statistical table panel using the below base search ,

base search :

<search id="search1">
<query>index=s (sourcetype=S_Crd OR sourcetype=S_Fire) | fields *</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>

In search:

| rex field=_raw "Fire=(?<FireEye>.*?),"

| rex mode=sed field=Fire "s/\\\"//g"

| stats values(*) as * values(sourcetype) as sourcetype by sysid

| fillnull value=""

|evalOS=case(like(OS,"%Windows%"),"Windows",like(OS,"%Linux%"),"Linux",like(OS,"%Missing%"),"Others",like(OS,"%Solaris%"),"Solaris",like(OS,"%AIX%"),"AIX",1=1,"Others")

|search $os$

|stats count</query>

</search>

sometime I am getting correct values but suddenly it displays 0 in all panels including this.After giving ctrl + F5 ,the issue gets resolved .May i know the reason for this and how to resolve this in dashboard.

isoutamo · ‎01-03-2022

Hi

are you sure that your base search didn't exceed splunk limit 500k events? You should avoid base searches without transforming commands (like stats, chart, time chart etc.).

Here is more about it

r. Ismo

Panel(single value,table) values are changing to 0 when there is values

panel

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio