Data Not matching in panel/search

vishwa

In a dashboard showing diff data in a panel, but when we open the panel query using "open in search" its showing correctly.

<form version="1.1" theme="dark">
<label>DMT Dashboard</label>
<fieldset submitButton="false">
<input type="time" token="timepicker">
<label>TimeRange</label>
<default>
<earliest>-15m@m</earliest>
<latest>now</latest>
</default>
</input>
<row>
<panel>
<table>
<search>
<query>
index=dam-idx (host_ip=12.234.201.22 OR host_ip=10.457.891.34 OR host_ip=10.234.34.18 OR host_ip=10.123.363.23)  repoter.dataloadingintiated
|stats count by local
|append
[search index=dam-idx (host_ip=12.234.201.22 OR host_ip=10.457.891.34 OR host_ip=10.234.34.18 OR host_ip=10.123.363.23)  task.dataloadedfromfiles NOT "error" NOT "end_point" NOT "failed_data"
|stats count as FilesofDMA]
|append
[search index=dam-idx (host_ip=12.234.201.22 OR host_ip=10.457.891.34 OR host_ip=10.234.34.18 OR host_ip=10.123.363.23)   "app.mefwebdata - jobintiated"
|eval host = case(match(host_ip, "12.234"), "HOP"+substr(host, 120,24), match(host_ip, "10.123"), "HOM"+substr(host, 120,24))
|eval host = host + " - " + host_ip
|stats count by host
|fields - count
|appendpipe
[stats count
|eval Error="Job didn't run today"
|where count==0
|table Error]]
|stats values(host) as "Host Data Details", values(Error) as Error, values(local) as "Files created localley on AMP", values(FilesofDMA) as "File sent to DMA"
<query>
<earliest>timepicker.earliest</earliest>
<latest>timepicker.latest</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentageRow">false</option>
<option name="rowNumbers">true</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="color" field="host_ip>
<colorPalette type="map">{"12.234.201.22":#53A051, "10.457.891.34":#53A051,"10.234.34.18":#53A051,"10.123.363.23":#53A051}</colorPalette>
</format>
<format type="color" field="local">
<colorPalette type="list">[#DC4E41,#53A051]</colorPalette>
<scale type="threshold">8</scale>
</format>
<format type="color" field="FilesofDMA">
<colorPalette type="list">[#DC4E41,#53A051]</colorPalette>
<scale type="threshold">8</scale>
</format>
<format type="color" field="Files created localley on AMP">
<colorPalette type="list">[#DC4E41,#53A051]</colorPalette>
<scale type="threshold">8</scale>
</format>
<format type="color" field="File sent to DMA">
<colorPalette type="list">[#DC4E41,#53A051]</colorPalette>
<scale type="threshold">8</scale>
</format>
<format type="color" field="Error">
<colorPalette type="map">{"Job didn't run today":#DC4E41}</colorPalette>
</format>
<format type="color" field="Host Data Details">
<colorPalette type="map">{"HOM-jjderf - 10.123.34.18":#53A051"HOM-iytgh - 10.123.363.23":#53A051, HOP-wghjy - 12.234.201.22":#53A051, "HOP-tyhgt - 12.234.891.34":#53A051}</colorPalette>
</format>
</table>
</panel>
</row>
</form>

Panel displaying in dashboard:

When we open the panel in search showing as below:(this is the correct data)

Host Data Details	Error	Files created localley on AMP	File sent to DMA
HOM-jjderf - 10.123.34.18 HOM-iytgh - 10.123.363.23 HOP-wghjy - 12.234.201.22 HOP-tyhgt - 12.234.891.34		221	86

ITWhisperer

I don't know if it makes a difference but your fieldset is not terminated and your earliest and latest aren't referencing the timepicker token correctly.

Data Not matching in panel/search

Classic dashboard

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...