Clustermaps not loading properly using a base sear...

HaxUez · ‎03-30-2021

In a dashboard, a single panel using a lookup and geostats works fine. When I take that search and split it up to use a base search with multiple panels it semi-breaks. The Cluster map will start loading but the pie charts appear then disappear. The other panels on the dashboard are pie charts and they all load appropriately. Once the search completes however, if you click refresh the cluster map results will display properly. Is this a problem with my source, the SPL, or something else (bug)? Source below is just the Panel for the Cluster map I am having problems with.

<form>
<label>Firewall Clustermap</label>
<description>Inbound Traffic</description>
<search id="Global_Traffic">
<query>index=xyz_firewall sourcetype=xyz_log policy_name="XYZ" direction=inbound |fields Country,src_ip,vendor_action,dest_ip,dest_port, src_port
|iplocation src_ip |search Country=* [|inputlookup XYZ_Country_Block_List]
</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<fieldset submitButton="true">
<input type="time" token="field1">
<label>Choose Time then Click Submit</label>
<default>
<earliest>-1m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>GLOBAL DROPS</title>
<map>
<title>ACTION: Drop</title>
<search base="Global_Traffic">
<query>|Search vendor_action IN (Drop, Deny, Block, Reject) |geostats count by Country globallimit=0</query>
</search>
<option name="mapping.type">marker</option>
<option name="refresh.display">progressbar</option>
</map>
</panel>

victorsalazar · ‎11-06-2023

Hello All

I had exactly the same Issue and this only happens when u use the base search directly to get the cluster map populated. I solved the issue and maybe is a silly way to do it but it was the only way to make it workg for me.

In your cluster map edit search --> search string text box do something like this

mainQuery: it is your base search, in my case is a Macro used in differnt dashboads
################### Code ###############################

| fields 1 ``` there is no fields called 1 - the idea is to get an empty result from the base search ```
``` The idea about the code below is to use the query mainQuery and get the fields to pass them to geostats ```

| append
[ search `mainQuery`
| fields lat lon country sales
]
| geostats latfield=lat longfield=lon count(sales) by country globallimit=0 locallimit=0

################### end of Code ###############################

HaxUez · ‎03-30-2021

Before refresh and After refresh screenshots of Cluster maps

After RefreshBefore Refresh

bowesmana · ‎03-30-2021

This will be no help to you unfortunately, but I have seen similar behaviour I believe on a Splunk 7.X environment, but never found the cause. What version are you on?

HaxUez · ‎03-31-2021

Version 8.1.2

Clustermaps not loading properly using a base search

form

panel

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!

Are you a member of the Splunk Community?