Dashboards & Visualizations

Real time dasboard and Saved Search

bulliarda
Explorer

Can I use a Saved Search in a dashboard and display it in Real Time?

thall79
Communicator

Yes. Just make sure when you save that search have the time range set to Real-Time and the desired window of time you want. If an existing search and you want to change the time range just go into manager - searches & reports - select the search and under Start Time you should have something like rt-1m and under Finish Time: rt.

Then you can build a simple dashboard and use that saved search. Here is a link on building simple dashboards.

http://www.splunk.com/base/Documentation/latest/User/CreateSimpleDashboards

Travis.


Ok this sounds like you should try building an advanced dashboard.

http://www.splunk.com/base/Documentation/4.1.3/Developer/AdvancedDashboard

Below is an example of what I think you could use. This will give you a TimeRange picker that will control the SavedSearch. Let me know if this helps.

  <view template="dashboard.html" refresh="600">
   <label>Title</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module><!-- /message/AppBar/AccountBar -->

  <module name="TimeRangePicker" layoutPanel="panel_row1_col1">
   <param name="searchWhenChanged">True</param>

  <module name="HiddenSavedSearch" layoutPanel="panel_row1_col1" group="Title" autoRun="true">
  <param name="savedSearch">(your saved search here)</param>

  <module name="Paginator">
      <param name="count">10</param>
      <param name="entityName">results</param>
      <param name="maxPages">10</param>
  <module name="SimpleResultsTable">
  </module><!-- /SimpleResultsTable -->
  </module><!-- /Paginator-->
  <module name="ViewRedirectorLink">
          <param name="viewTarget">flashtimeline</param>
    <param name="popup">True</param>      

  </module><!-- /ViewRedirectorLink--> 
  </module><!-- /HiddenSavedSearch -->

  </module><!-- /TimeRangePicker -->

  </view>

Travis.

thall79
Communicator

Try throwing a false on the next line under the HiddenSavedSearch module.

If nothing else you could always clone/copy the saved search and use that copy to run your dashboard.

Travis.

0 Karma

bulliarda
Explorer

Hi Travis. It seems to work fine exect I get a big red rubbon error: "Configuration error - HiddenSavedSearch has both parent modules like TimeRangePicker, and also a dispatched job from the scheduler."

0 Karma

bulliarda
Explorer

Hell Travis, the problem is that we need also to schedule this search for report delivery. If a use rt, I cannot schedule it. Do you know if there is a way in a dashboard to have the parameters take precedence over the one in the Saved Search?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...