Splunk Search

How to specify different time ranges for each panel on a dashboard using only one base search?

marcosrios
Explorer

Hi,

I'm trying to use a base search for different panels. I have this, but it's retrieving the same results in both panels. How do I specify different time ranges for each panel using only one search?

<dashboard>
    <label>My dashboard</label>
    <description/>
    <search id="top_errors">
        <query>index=A foo=X</query>    
    </search>
    <row>
        <panel>
            <table>
                <title>Top Errors (Past 10 minutes)</title>
                <search base="top_errors">
                    <earliest>-10m</earliest>
                    <latest>now</latest>
                </search>
            </table>
        </panel>
    </row>
    <row>
        <panel>
            <table>
                <title>Top Errors (Past 4 hours)</title>
                <search base="top_errors">
                    <earliest>-4h</earliest>
                    <latest>now</latest>
                </search>
            </table>
        </panel>
    </row>
</dashboard>

Regards!

0 Karma

stephanefotso
Motivator

Hello! Add a query tag to reformat results from a base search in your panels: eg

           <table>
                 <title>Top Errors (Past 10 minutes)</title>
                 <search base="top_errors">
                     <query>
                            search log_level=error | stats sum(count)  as count
                     </query>
                     <earliest>-10m</earliest>
                     <latest>now</latest>
                 </search>
             </table>

For more informations, read Post-process examples here: http://docs.splunk.com/Documentation/Splunk/6.4.0/Viz/Savedsearches
thanks

SGF
0 Karma

marcosrios
Explorer

Understood, but how can I filter the base result for a specific time range?

Suppose that my base search gets results for last 4hs.
In my panels I want to use the same search, but in one of the panels specify last 4hs and in the other the last 10 min.
How may I achieve that?

0 Karma

stephanefotso
Motivator
  1. Run your base search and save it as a report. Let say top_errors
  2. Reference your report like this:





    Original report

    Top Errors (Past 10 minutes)

                <search ref="top_errors" />
                  <!-- Modify time bounds -->
                  <earliest>-10m</earliest>
                   <latest>now</latest>
              </chart>
            </panel>
            <panel>
              <title>Modified time bounds and visualization</title>
              <chart>
                <title>Top Errors (Past 4 hours)</title>
    
                <search ref="top_errors">
    
                  <!-- Modify time bounds -->
                     <earliest>-4h</earliest>
                     <latest>now</latest>
    
                </search>
    
                <!-- Change visualization -->
                <option name="charting.chart">column</option>
    
              </chart>
            </panel>
          </row>
        </dashboard>
    
SGF
0 Karma

marcosrios
Explorer

The only difference I have between the panels is the time range. I don't want to post process the search.
Another question, if I set a base search, both two panel will retrieve the results from the base search right? Or they will do the same search independently?

Regards!

0 Karma

stephanefotso
Motivator

Panels in the dashboard use a post-process search to further modify the results of a base search. The base search can be a global search for the dashboard or any other search within the dashboard. if you set a base search, both two panel will retrieve the results from the base search .

SGF
0 Karma

stephanefotso
Motivator

Reference a search from a report rom a report can help you: read it here: http://docs.splunk.com/Documentation/Splunk/6.4.0/Viz/Savedsearches

thanks

SGF
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...