Splunk Search

Continuous Display of Time Since Event

_dave_b
Communicator

Hello,
I have made a dashboard that searches for an event, displays the time-stamp of that event, and the time elapsed since that event (by calculating the difference in epoch times between the event and the current time). My problem is that the elapsed time stays static, when it needs to be calculated and displayed continuously in real time.

Can anyone offer any ideas or examples of how to achieve this?

Thanks!

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi _dave_b,
what time period you used? a real time or static?
if you use a real time search your difference should be modified.
Otherwise, you should refresh your page.
Bye.
Giuseppe

View solution in original post

niketn
Legend

You have two options.

Option 1
Convert dashboard to Real Time. For example following looks for 5 minute window. However, you should use Dashboards with Real Time searches only if absolutely required(like depicting real-time network utilization etc), otherwise you should rely on second option (near real-time)

      <earliest>rt-5m</earliest>
      <latest>rt</latest>

Option 2
Set dashboard or Panel Refresh based on one of following options whichever suits your needs and Splunk Enterprise version:
A) Refresh entire view on periodic basis (following is for every 5 minutes)

<dashboard refresh="300"> 
or 
<form refresh="300">

B) Individual Panel auto-refresh
(i) Splunk Enterprise 6.5 onward. Create your Search Panel and edit the search to add Auto Refresh Delay or do the same via Simple XML for specific Search Panel add following code

    <refresh>5m</refresh>

(ii) refresh.auto.interval to refresh individual panel (deprecated feature now, however you can use the same in case you are using Splunk Enterprise 6.1 or greater but not on Splunk 6.5)

    <option name="refresh.auto.interval">300</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

gokadroid
Motivator

Addressing this part of the question:

My problem is that the elapsed time stays static, when it needs to be calculated and displayed continuously in real time

The panel will report static data for the instance when the search was run and it will stay as is till its refreshed again. You have the option to refresh the query if you are using the latest Splunk version wherein depending on the refresh interval the data will be automatically updated. Example on how to refresh the query every 5 minutes is below:

<search>
      <query>
      </query>
      <earliest></earliest>
      <latest></latest>
      <sampleRatio></sampleRatio>
      <refresh>5m</refresh>
    </search>

Explore the other options of refresing data in your panels/dashboard which are mentioned here:
https://answers.splunk.com/answers/483783/define-refresh-interval-for-formdashboard.html#answer-4840...

_dave_b
Communicator

Thanks for your answer! I was not aware of the refresh feature before, but now that I am, I am wondering about how it works. Thanks for pointing out the other options that help answer my further questions.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi _dave_b,
what time period you used? a real time or static?
if you use a real time search your difference should be modified.
Otherwise, you should refresh your page.
Bye.
Giuseppe

_dave_b
Communicator

Thanks! Based off your suggestion, I looked up on how to refresh my dashboard panel, and it now automatically refreshes every 3 seconds or so. Ideally, it would refresh every 1 second, but 3 seconds is good enough for now.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...