Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Dashboard SearchTemplate

jrich523
Path Finder
‎11-20-2013 12:16 PM

Im doing a fairly simple search template that just isnt working. It seems to be limited at 1000 events? (cant find any docs that would suggest this) and only 1 of the 3 charts even attempts to use the template at all.

It looks like the first timechart count works ok (only populates 1000) and the following timecharts (that have a "by") are getting all nulls.

so two questions, is there a limit and if so do i have any control over it?
why are charts 2 and 3 getting all empty entries?

 <form>
  <label>General Usage Stats</label>
  <description/>
  <searchTemplate>sourcetype="f5:irule:webaccess" | rex field=url "(?&lt;base&gt;[^?]+)\?(?&lt;querystring&gt;.*)"  | eval kb=(response_data_size/1024)</searchTemplate>
  <fieldset autoRun="true" submitButton="false">
    <input type="time" searchWhenChanged="true">
      <default>
        <earliestTime>-15m</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>
  </fieldset>
  <row>
    <chart>
      <title>Total Hits</title>
      <searchPostProcess>timechart count</searchPostProcess>
      <option name="charting.chart">line</option>
    </chart>
    <chart>
      <title>Hits by URL</title>
      <searchPostProcess>timechart count by base limit=5 useother=f usenull=f</searchPostProcess>
      <option name="charting.chart">line</option>
      <option name="count">10</option>
    </chart>
    <chart>
      <title>Hits by Server</title>
      <searchPostProcess>timechart count by server_name limit=5 useother=f usenull=f</searchPostProcess>
      <option name="charting.chart">line</option>
    </chart>
  </row>
</form>
0 Karma
Reply

MuS
Legend
‎12-16-2014 02:15 AM

Hi jrich523,

you should use a transforming command within your searchTemplate for best results and to omit the limit you suspect to hit. Read the docs http://docs.splunk.com/Documentation/Splunk/6.2.0/AdvancedDev/PostProcess to get more details on this.

cheers, MuS

0 Karma
Reply

ngatchasandra
Builder
‎12-16-2014 02:04 AM

To answer your question, I have taken your source code and test it with my own request based on my data. When I have done this, all charts don’t show the results. Then, I have taken each of my request and test them in search bar splunk and all is worked good. For example, this is my SearchTemplate:
index=project1_index | rex "\d+-\d+-\d+ \d+:\d+:\d+ (?<Host>[a-zA-Z0-9.-]+)"|rex max_match=0 "(?i) STRING: \"\"(?P<FIELDNAME>[^\"]+)" | eval Source=mvindex(FIELDNAME,0) | eval kb=(data_second/1024)

Note: My entire fields is extracted from _raw

The request is work good! So is your default value of your time input that have a problem because, when I remove that follow

<default>
<earliestTime>-15m</earliestTime>
   <latestTime>now</latestTime>
   </default>

In my case, it means that no events is reach -15m or now.
I think that is no problem of limit. My code is look like follow:

<form>
   <label>General Usage Stats</label>
   <description/>
   <searchTemplate>index=project1_index |  rex "\d+\-\d+\-\d+ \d+\:\d+:\d+ (?&lt;Host&gt;[a-zA-Z0-9.-]+)"|rex max_match=0 "(?i) STRING: \"\"(?P&lt;FIELDNAME&gt;[^\"]+)"| eval Source=mvindex(FIELDNAME,0) | eval kb=(data_second/1024)</searchTemplate>
   <fieldset autoRun="true" submitButton="false">
     <input type="time" searchWhenChanged="true">


     </input>
   </fieldset>
   <row>
     <chart>
       <title>Total Hits</title>
       <searchPostProcess>timechart count</searchPostProcess>
       <option name="charting.chart">line</option>
     </chart>
     <chart>
       <title>Hits by URL</title>
       <searchPostProcess>timechart count by Host limit=5 useother=f usenull=f</searchPostProcess>
       <option name="charting.chart">line</option>
       <option name="count">10</option>
     </chart>
     <chart>
       <title>Hits by Server</title>
       <searchPostProcess>timechart count by Source limit=5 useother=f usenull=f</searchPostProcess>
       <option name="charting.chart">line</option>
     </chart>
   </row>
 </form>
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...