Splunk® Enterprise

Troubleshooting Manual

Dashboard in app is not showing the expected results

You are using an app, and one of its views does not show you the results you expect. Begin troubleshooting here.

Determine the search string that powers the panel that is not showing the expected results

There are many methods to achieve this.

You can look at the view source by appending "?showsource=1" ("&showsource=1" if other parameters have already been appended) to the view URL in the browser address bar.

Expand macros and event types

Macros and event types are convenient knowledge objects, but unless you know exactly what they do, they can obscure the way a given search works. For that reason, it is often easier to expand them manually so that you know exactly what your search is doing.

You can see the contents of your entire search by using a keyboard shortcut, Command+Shift+E (Mac OSX) or Control+Shift+E (Linux or Windows) from the Search bar in the Search page. This opens a preview that displays the expanded search string, including all search macros and saved searches. For more info, see Expand your search in the Search Manual.

Run the search manually from the time line, in the relevant app context

Answer the question: Can you reproduce this manually, outside of the view it was reported in?

Compare results against source events

The next step is simple: Compare the results generated by the search and its multiple evals against the source events.

Dig deeper

In order to drill down to the source of the problem, pick one example. A good one if possible: A search that we know was run by an actual user.

Add the SID as a search term.

As discussed earlier, stats first(user) by search_id picks up the most recent value of the user field for a given search id.

Last modified on 10 November, 2020
Too many search jobs   Intermittent authentication timeouts on search peers

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters