Can we call different saved searches based on syst...

lahariveerlapat · ‎11-21-2013

Hi I want to display different graphs within a single panel in adashboard based on system time or elase I want to display different graphs for every 5 minutes within a single panel please help me how can i achieve this?Any suggestions are appreciated

norbert_hamel · ‎11-23-2013

Hi,

this is possible using sideview utils (2.4.10 in my case).

See the example below. This should run out of the box on any instance where the sideview is installed since it takes events from _internal index only.

Here we have a dashboard that is refreshed every minute using refresh="60". In the first step this dashboard will execute a short search against _internal index and get the first result, just to get the time when this dashboard has been refreshed. Then we calculate a new value based on the minute of the current time, so in this case we switch this value every 5 minutes from "First" to "Second".

Then we use the Switcher module to define 2 different charts with different searches. The first chart shows log_level of _internal logs as column chart, the second chart shows status values from _internal log as area chart.

So using this approach you can define any number of different searches, chart types or whatever you want, and select the appropriate chart based on any condition. For example, instead of switching the chart every 5 minutes you could change the chart based on the weather forecast or based Dow Jones values 🙂

Cheers

Norbert

<view autoCancelInterval="90" isVisible="true" objectMode="SimpleDashboard" onunloadCancelJobs="true" refresh="60" template="dashboard.html">
  <label>Timeswitcher Dashboard</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="SideviewUtils" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="DashboardTitleBar" layoutPanel="viewHeader"/>

<module name="URLLoader" layoutPanel="viewHeader" autoRun="True">

 <module name="Search" layoutPanel="panel_row3_col1" autoRun="True">
 <param name="search">
 <![CDATA[
 index=_internal  | head 1 | addinfo | eval SwitcherValue=case(date_minute<=5,"First",date_minute<=10,"Second",date_minute<=15,"First",date_minute<=20,"Second",date_minute<=25,"First",date_minute<=30,"Second",date_minute<=35,"First",date_minute<=40,"Second",date_minute<=45,"First",date_minute<=50,"Second",date_minute<=55,"First",date_minute<=00,"Second") | table SwitcherValue
 ]]>
 </param>

  <module name="ResultsValueSetter">
  <param name="fields">SwitcherValue</param>

   <module name="Switcher" group=" ">
   <param name="selectedGroup">$SwitcherValue$</param>


    <module name="Search" layoutPanel="panel_row1_col1"  group="First"  autoRun="True" >
     <param name="search">
     index=_internal earliest=-15m latest=now() | timechart span=1min count by log_level
     </param>     
     <module name="HiddenChartFormatter">
      <param name="charting.chart">column</param>
      <param name="charting.chart.stackMode">stacked</param>
      <param name="charting.chart.nullValueMode">connect</param>
      <param name="primaryAxisTitle.text">Time</param>
      <module name="JSChart"></module>
     </module>     
    </module>     

    <module name="Search" layoutPanel="panel_row1_col1"  group="First"  autoRun="True" >
     <param name="search">
     index=_internal earliest=-15m latest=now() | timechart span=1min count by status
     </param>     
     <module name="HiddenChartFormatter">
      <param name="charting.chart">area</param>
      <param name="charting.chart.stackMode">stacked</param>
      <param name="charting.chart.nullValueMode">connect</param>
      <param name="primaryAxisTitle.text">Time</param>
      <module name="JSChart"></module>
     </module>     
    </module>     

   </module>
  </module>
    </module>
</module> 
</view>

lahariveerlapat · ‎11-24-2013

One more thing I forgot to ask you I am using splunk 6 beta version and have installed the sideview utils 2.7 When I try this example Iam not getting the previous error which I have already told you "splunk encouterd the following sideview module unable to load properly" but Iam not getting the graphs on my dashboard(I tried in splunk 5 and it's working).Do You what would be the reason?

lahariveerlapat · ‎11-24-2013

To refresh the dashboard for every 1 minute I have given as below
refresh="60"
date_minute<=1,"First",
date_minute<=2,"Second",
date_minute<=3,"First",
date_minute<=4,"Second",
|

date_minute<=00,"First",
In the same way I want refresh the dsahboard for every 10 seconds so I tried as below
refresh="10"
date_second<=10,"First",
date_second<=20,"Second",
date_second<=30,"First",
date_second<=40,"Second",
date_second<=50,"First",
date_second<=00,"Second",
but the same graphs Iam getting when dashboard is refreshing for 10 seconds how to specify the time in seconds here?

norbert_hamel · ‎11-24-2013

The date_minute or date_time is just used to create the condition on which we decide what to display.

The refresh of the dashboard itself is defined in the heading section with: refresh="60".

Does this answer your question or didn't I understood the question?

lahariveerlapat · ‎11-24-2013

It's working perfectly thanks for your valuable suggestions,I want to refresh the page for every 10 seconds so I repalced "date_minute" with "date_second" and specified the values respectively but it's not working how can i replace minutes with seconds?

norbert_hamel · ‎11-24-2013

I am using this on Splunk 6 as well. You just need the sideview 2.4.10 or above. This is not the version on the app base, you can retrieve this from http://sideviewapps.com/. As far as I know this solution is not possible with Splunk itself, or you might go for Javascript/HTML.

Can we call different saved searches based on systemtime automatically in a dashboard?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM