Dashboard in app is not showing the expected results
You are using an app, and one of its views does not show you the results you expect. Begin troubleshooting here.
Determine the search string that powers the panel that is not showing the expected results
There are many methods to achieve this.
You can look at the view source by appending "?showsource=1" ("&showsource=1" if other parameters have already been appended) to the view URL in the browser address bar.
Expand macros and event types
Macros and event types are convenient knowledge objects, but unless you know exactly what they do, they can obscure the way a given search works. For that reason, it is often easier to expand them manually so that you know exactly what your search is doing.
You can see the contents of your entire search by using a keyboard shortcut, Command+Shift+E (Mac OSX) or Control+Shift+E (Linux or Windows) from the Search bar in the Search page. This opens a preview that displays the expanded search string, including all search macros and saved searches. For more info, see Expand your search in the Search Manual.
Run the search manually from the time line, in the relevant app context
Answer the question: Can you reproduce this manually, outside of the view it was reported in?
Compare results against source events
The next step is simple: Compare the results generated by the search and its multiple evals against the source events.
Dig deeper
In order to drill down to the source of the problem, pick one example. A good one if possible: A search that we know was run by an actual user.
Add the SID as a search term.
As discussed earlier, stats first(user) by search_id picks up the most recent value of the user field for a given search id.
Too many search jobs | Intermittent authentication timeouts on search peers |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2
Feedback submitted, thanks!