sghaskell
commented
5 years ago Hi @JohnKruse - Can you tell me the following:
- Splunk Version
- Browser & Version
- Is the visualization powered by post-process searches with a base search?
Open JohnKruse opened 5 years ago
sghaskell
commented
5 years ago Hi @JohnKruse - Can you tell me the following:
JohnKruse
commented
5 years ago Hi Scott,
I've got several observations that may or may not help.
Thanks, John
============================================ John Kruse john@kruser.org 781.333.8349
*"There is nothing which I dread so much as a division of the republic into two great parties*, each arranged under its leader, and concerting measures in opposition to each other. This, in my humble apprehension, is to be dreaded as the greatest political evil under our Constitution." - John Adams
On Tue, Jul 23, 2019 at 9:37 AM Scott Haskell notifications@github.com wrote:
Hi @JohnKruse https://github.com/JohnKruse - Can you tell me the following:
- Splunk Version
- Browser & Version
- Is the visualization powered by post-process searches?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/sghaskell/maps-plus/issues/12?email_source=notifications&email_token=AAVWTHZTEJFKHAS2UHKEDXDQA4QUPA5CNFSM4IGFF2CKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2TQ6YQ#issuecomment-514264930, or mute the thread https://github.com/notifications/unsubscribe-auth/AAVWTH6EGDFOEA2ZQGBJEBTQA4QUPANCNFSM4IGFF2CA .
JohnKruse
commented
4 years ago I think what is happening is that the Map is displaying results from the Base Search that are half-baked. That is, the search hasn't really completed. In a dashboard with both the map and a table, I can see the table updating as things change, but the map seems to lock in with premature results. I see in the Maps (Continued) tab that there is a "Dashboard Refresh Interval" setting, but my impression is that this isn't really what I'm looking for in retarding the painting of the map to ensure the results are final, eh? Thanks, John
lorenzoalbanof
commented
1 year ago I can report the same issue.
Splunk: Enterprise Version 9.0.2 Build 17e00c557dc1
Browser: Chrome Version 109.0.5414.120 (Official Build) (64-bit)
Also (only for testing): Microsoft Edge Version 109.0.1518.70 (Official build) (64-bit)
In a Report / Search (and "Open in Search" from dashboard panel): Everything runs as it should. Markers are shown according to the Statistics. When layerVisibility=false is set the marker won't be displayed on map unless the user selects otherwise in Layer Control UI. There are no duplicate rows in the Statistics (as it should be). If there's spiderfy-ing of markers for the same location, it's by (search) design, these are indeed different rows / entities with unique tooltip and description, also different markerColor and icon.
Same search in a dashboard panel: There's a chance that layers intended to be invisible at start (layerVisibility=false) will be displayed at start anyway. There's a chance that some some markers will be displayed in duplicate, triplicate and even quadruplicate. It usually happens everywhere for the same layerGroup / clusterGroup value. A cluster of most frequently 2, sometimes 3, rarely 4 or 5 markers at the same location is seen. Upon zoom and spiderfy-ing: several identical markers: markerColor, icon, tooltip and description. However, the search results contain no duplicates ("Open in Search" Statistics and Maps+ Visualization confirm this).
Refreshing the dashboard / webpage or redoing the search sometimes (around half the times) does correct the problem for one or more of the layerGroup's, sometimes it doesn't.
I have also seen that sometimes, initially and while the search is running and the "in progress" clock animation runs, the clusters shown for a given layerGroup have the right number of markers. But upon completion of search, they multiply as described above and the invisible-by-design layers appear.
I have tried playing with visualization format and available options to prevent this. I have tried to mimic available format options in Search in dashboard panels.
Maybe there's a setting that can prevent this in the visualization options (In the XML source code of dashboard) that is not accessible to the Search window format options, that however is right in the Search Window. That I changed inadvertently and for the worse in the dashboard panel...
I read a previous issue that may or may not have been the same problem. It's not clear. Sorry if this is redundant. When I run a report, the map's placement and colors of circles seems to be reliable. When, however, it is placed into a dashboard, it is not. I can't tell if it is grabbing an early version of the results or if it is somehow using some cached information. I've tried different panels with the same core search, and then I tried building a base search to feed both panels (the table for the map has different fields than for my user-readable table panel). I can see that the text table is spitting out what I'd expect, but the map will have sometimes radically different results (e.g., circle colors, sizes, opacities, membership) - even the mouseover description will not match. I'd post something, but it is somewhat sensitive. Thanks, JK