Dashboards & Visualizations

Dashboard SearchTemplate

jrich523
Path Finder

Im doing a fairly simple search template that just isnt working. It seems to be limited at 1000 events? (cant find any docs that would suggest this) and only 1 of the 3 charts even attempts to use the template at all.

It looks like the first timechart count works ok (only populates 1000) and the following timecharts (that have a "by") are getting all nulls.

so two questions, is there a limit and if so do i have any control over it?
why are charts 2 and 3 getting all empty entries?

 <form>
  <label>General Usage Stats</label>
  <description/>
  <searchTemplate>sourcetype="f5:irule:webaccess" | rex field=url "(?&lt;base&gt;[^?]+)\?(?&lt;querystring&gt;.*)"  | eval kb=(response_data_size/1024)</searchTemplate>
  <fieldset autoRun="true" submitButton="false">
    <input type="time" searchWhenChanged="true">
      <default>
        <earliestTime>-15m</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>
  </fieldset>
  <row>
    <chart>
      <title>Total Hits</title>
      <searchPostProcess>timechart count</searchPostProcess>
      <option name="charting.chart">line</option>
    </chart>
    <chart>
      <title>Hits by URL</title>
      <searchPostProcess>timechart count by base limit=5 useother=f usenull=f</searchPostProcess>
      <option name="charting.chart">line</option>
      <option name="count">10</option>
    </chart>
    <chart>
      <title>Hits by Server</title>
      <searchPostProcess>timechart count by server_name limit=5 useother=f usenull=f</searchPostProcess>
      <option name="charting.chart">line</option>
    </chart>
  </row>
</form>
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi jrich523,

you should use a transforming command within your searchTemplate for best results and to omit the limit you suspect to hit. Read the docs http://docs.splunk.com/Documentation/Splunk/6.2.0/AdvancedDev/PostProcess to get more details on this.

cheers, MuS

0 Karma

ngatchasandra
Builder

To answer your question, I have taken your source code and test it with my own request based on my data. When I have done this, all charts don’t show the results. Then, I have taken each of my request and test them in search bar splunk and all is worked good. For example, this is my SearchTemplate:
index=project1_index | rex "\d+-\d+-\d+ \d+:\d+:\d+ (?<Host>[a-zA-Z0-9.-]+)"|rex max_match=0 "(?i) STRING: \"\"(?P<FIELDNAME>[^\"]+)" | eval Source=mvindex(FIELDNAME,0) | eval kb=(data_second/1024)

Note: My entire fields is extracted from _raw

The request is work good! So is your default value of your time input that have a problem because, when I remove that follow

<default>
<earliestTime>-15m</earliestTime>
   <latestTime>now</latestTime>
   </default>

In my case, it means that no events is reach -15m or now.
I think that is no problem of limit. My code is look like follow:

<form>
   <label>General Usage Stats</label>
   <description/>
   <searchTemplate>index=project1_index |  rex "\d+\-\d+\-\d+ \d+\:\d+:\d+ (?&lt;Host&gt;[a-zA-Z0-9.-]+)"|rex max_match=0 "(?i) STRING: \"\"(?P&lt;FIELDNAME&gt;[^\"]+)"| eval Source=mvindex(FIELDNAME,0) | eval kb=(data_second/1024)</searchTemplate>
   <fieldset autoRun="true" submitButton="false">
     <input type="time" searchWhenChanged="true">


     </input>
   </fieldset>
   <row>
     <chart>
       <title>Total Hits</title>
       <searchPostProcess>timechart count</searchPostProcess>
       <option name="charting.chart">line</option>
     </chart>
     <chart>
       <title>Hits by URL</title>
       <searchPostProcess>timechart count by Host limit=5 useother=f usenull=f</searchPostProcess>
       <option name="charting.chart">line</option>
       <option name="count">10</option>
     </chart>
     <chart>
       <title>Hits by Server</title>
       <searchPostProcess>timechart count by Source limit=5 useother=f usenull=f</searchPostProcess>
       <option name="charting.chart">line</option>
     </chart>
   </row>
 </form>
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...