Hi. I have this table.
As you can see there are 2 storeA in both normal and critical. The latest record is on the normal table. I use this | where CPU_Load < 1 AND Processes < 99
for the normal table and different conditions on the other panels. I dont know what is the problem in here but it looks like the table itself is not updating real time! Can someone help me in here?
I can confirm that tables based on real time searches which once had a result in their time range keep that last result once the time range moves ahead of that event, so that a table based on a real time search will always show the last result even if it has moved out of the time range of the real time search.
Not sure if this is a bug or a feature 🙂
To solve your issue, you could convert your searches to regular searches and re-run them every minute or so.
I can confirm that tables based on real time searches which once had a result in their time range keep that last result once the time range moves ahead of that event, so that a table based on a real time search will always show the last result even if it has moved out of the time range of the real time search.
Not sure if this is a bug or a feature 🙂
To solve your issue, you could convert your searches to regular searches and re-run them every minute or so.
can you elaborate more on this? "you could convert your searches to regular searches and re-run them every minute or so."
Have your dashboard use normal searches, i.e. searches with the same time range but not as real time searches, and trigger them to refresh every minute:
<option name="refresh.auto.interval">60</option>
See here for docs.
I'd say that in the time range that these searches run on, there are records for both a CPU load above and below your thresholds. Maybe you should make your table show averages, that would make them show up in only one of your tables.
if that's the case it would be easy. But I already configured every event to every minute and real time to a 1 minute window. i think the culprit here is that when the search triggers and the panel detects that it is not on the condition, it wont update the table so the last record was still there remaining.
OR another theory is that tables or stats doesn't return empty record so it retains the last record it has to show.
Your second idea could actually be true; I've found it hard to deal with searches returning no results using the splunk js stack as well. I'm going to see if I can figure this out with some example.