Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my post process real-time base saved search failing to graph values if I change "where timing < 10" to "fields timing" or "timechart avg(timing)"?

tborup
Engager
‎11-10-2015 11:33 AM

I have a dashboard referring a saved search. The search is a real-time search returning the values timing and count by _time. The dashboard works fine until I change "where timing < 10" to "fields timing" or "timechart avg(timing)". After this change, no values are shown in the graph. Can this be explained in any way?

The goal is to use one real-time search on both a graph with two values (timing and count) and a gauge only showing the value of count.

<dashboard>
  <search id="BaseSearch" ref="Request pr.min RT"></search>
  <row>
    <panel>
      <chart>
        <search base="BaseSearch">
          <query>where timing < 10</query>
        </search>
.....

Splunk version: 6.2.3

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tborup
Engager
‎11-11-2015 01:40 AM

If I change the query part to this 

    <search base="BaseSearch">
      <query>fields _time count timing</query>
    </search>

the value timing disappears. This is unexpected, but it gives me the result I want and I am able to show the count value in a gauge.

In case the basesearch is important in giving the answer to this unexpected behavior, I'll provide it here.

`FMK_servers_auditLog` | fields _time processingTime | bin _time span=2s as sek2 | eval sek=strftime(sek2,"%H:%M:%S") | stats count avg(processingTime) as timing by sek | eval count = count*0.5 | eval timing = timing/10

View solution in original post

Reply
Solved! Jump to solution
Solution

tborup
Engager
‎11-11-2015 01:40 AM

If I change the query part to this 

    <search base="BaseSearch">
      <query>fields _time count timing</query>
    </search>

the value timing disappears. This is unexpected, but it gives me the result I want and I am able to show the count value in a gauge.

In case the basesearch is important in giving the answer to this unexpected behavior, I'll provide it here.

`FMK_servers_auditLog` | fields _time processingTime | bin _time span=2s as sek2 | eval sek=strftime(sek2,"%H:%M:%S") | stats count avg(processingTime) as timing by sek | eval count = count*0.5 | eval timing = timing/10
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...