Splunk Search

Can my dashboard pick from a set of predetermined timechart spans depending on the user's timerange length?

sideview
SplunkTrust
SplunkTrust

First, the answer here may be to simply not use span=1h at all, but rather to use bins=500 or some similar number in the timechart command, and let timechart command itself figure out what span best fits that total number of bins.

But, let's say I have a timechart and the user can pick last 3 hours, last 48 hours or last month. For last 3 hours I want span=30min, for last 48 hours I want span=4h, and for last month I want span=1d.

Is there a way I can make my dashboard itself pick the right argument to the timechart command based only on the timerange that the user picked?

Tags (3)

cheganbm
Explorer

When you say "(...), and let timechart command itself figure out what span best fits that total number of bins.(...)" is there a way to display the determined span value if we use the bins=1000 option?

Thanks.

0 Karma

sideview
SplunkTrust
SplunkTrust

I know several apps have come up with their own way of doing this, but it can be done using Sideview Utils with no custom javascript. Here is an example.

we basically dispatch a strange little search. It will run very quickly and match no events, but we'll use the search language to calculate our timerange duration, to also pick for us the right "span=5m" argument, and then we'll use the Sideview ResultsValueSetter module to pull the final span field down from the server and turn it into a $span$ token on the client.

After that we can just plug it into our Search module like any other $foo$ token.

<module name="TimeRangePicker">
  <param name="default">Last 24 hours</param>

  <module name="Search">
    <param name="search"><![CDATA[
      foo NOT foo | stats count | addinfo | table info_min_time info_max_time | eval duration=info_max_time - info_min_time | eval span=case( duration>604800,"span=1d", duration>86400,"span=4h", duration>1440,"span=1h", duration>3600,"span=30min", duration>1800,"span=1min")
    ]]></param>

    <module name="ResultsValueSetter">
      <param name="fields">span,duration</param>

      <module name="Search">
        <param name="search"><![CDATA[
          index=_internal | head 1000 | timechart count $span$
        ]]></param>

        <module name="HTML" layoutPanel="viewHeader">
          <param name="html"><![CDATA[
          did it work?   span = $span$<br>
          duration = $duration$
          ]]></param>
        </module>
        <module name="JSChart" />
      </module>
    </module>
  </module>
</module>

It's worth noting that ResultsValueSetter only ever gets field values from the first row of your search results, so sometimes you need to think a bit about how to get all your values all into one row.

http://sideviewapps.com/apps/sideview-utils

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...