Splunk Search

Stats table not updating real time

josefa123
Explorer

Hi. I have this table.

alt text

As you can see there are 2 storeA in both normal and critical. The latest record is on the normal table. I use this | where CPU_Load < 1 AND Processes < 99 for the normal table and different conditions on the other panels. I dont know what is the problem in here but it looks like the table itself is not updating real time! Can someone help me in here?

0 Karma
1 Solution

jeffland
SplunkTrust
SplunkTrust

I can confirm that tables based on real time searches which once had a result in their time range keep that last result once the time range moves ahead of that event, so that a table based on a real time search will always show the last result even if it has moved out of the time range of the real time search.

Not sure if this is a bug or a feature 🙂

To solve your issue, you could convert your searches to regular searches and re-run them every minute or so.

View solution in original post

jeffland
SplunkTrust
SplunkTrust

I can confirm that tables based on real time searches which once had a result in their time range keep that last result once the time range moves ahead of that event, so that a table based on a real time search will always show the last result even if it has moved out of the time range of the real time search.

Not sure if this is a bug or a feature 🙂

To solve your issue, you could convert your searches to regular searches and re-run them every minute or so.

josefa123
Explorer

can you elaborate more on this? "you could convert your searches to regular searches and re-run them every minute or so."

0 Karma

jeffland
SplunkTrust
SplunkTrust

Have your dashboard use normal searches, i.e. searches with the same time range but not as real time searches, and trigger them to refresh every minute:

<option name="refresh.auto.interval">60</option>

See here for docs.

jeffland
SplunkTrust
SplunkTrust

I'd say that in the time range that these searches run on, there are records for both a CPU load above and below your thresholds. Maybe you should make your table show averages, that would make them show up in only one of your tables.

0 Karma

josefa123
Explorer

if that's the case it would be easy. But I already configured every event to every minute and real time to a 1 minute window. i think the culprit here is that when the search triggers and the panel detects that it is not on the condition, it wont update the table so the last record was still there remaining.

0 Karma

josefa123
Explorer

OR another theory is that tables or stats doesn't return empty record so it retains the last record it has to show.

0 Karma

jeffland
SplunkTrust
SplunkTrust

Your second idea could actually be true; I've found it hard to deal with searches returning no results using the splunk js stack as well. I'm going to see if I can figure this out with some example.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...