Dashboards & Visualizations

define refresh interval for form/dashboard

rashid47010
Communicator

I have one dashboard with multiple panels(in line searches)
How can I change the refresh interval for my dashboard/form.

Tags (1)
0 Karma

avaishsplunk
Path Finder
I faced the same issue, create a  hidden panel on your dashboard and set the refresh interval as per your requirement for that panel, once that refreshes the entire dashboard will refresh, you will have to set the refresh interval individually for each query also

<panel>
      <single depends="$nothing$">
        <search id="abc">
          <query>"Put any of your queries here"
         </query>
         <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="refresh.auto.interval">60</option>
      </single>
  </panel>
0 Karma

avaishsplunk
Path Finder

Hello Gokadroid,

This probably will work for dashboard, in my case it was a form this was the reason putting refresh in the top will not work.

Regards

0 Karma

gokadroid
Motivator

Which version of Splunk are you using. You might not need to refresh all the queries piecemeal and can refresh the entire dashboard every 15 secs. using refresh="15" . I have tried it on 6.4.2 and 6.5.0. See my comment above for sample code of how to make it work and see if that helps in your case.

0 Karma

gokadroid
Motivator

It depends on the version of Splunk you are using. Since the latest version gives you the option to refresh the query within a panel then start from there:

<search>
     <query>
     </query>
     <earliest></earliest>
     <latest></latest>
     <sampleRatio></sampleRatio>
     <refresh>5m</refresh>
   </search>

Otherwise depending on the Splunk version following might work:

Form refresh:

<form refresh="30"> 

Dashboard refresh

<dashboard refresh="30">

Panel refresh

<option name="refresh.auto.interval">60</option>

rashid47010
Communicator

hi
little confusing to me

I have on form, where I have three panels. each panel have query. I want to refresh all panels once.

I use form refresh query " " but it gives me error. my xml code is

xxx Dashboard
xxx

<input type="time" searchWhenChanged="true">
  <label>Search</label>
  <default>
    <earliest>@d</earliest>
    <latest>now</latest>
          </default>
</input>


<panel>
  <table>
    <title>Malware Found</title>
    <search>
      <query>index=xxx_sxx xxxxxxxx | stats values(vxxxn),values(file_namxxxx),values(Fiezzzh),values(A\\\\) by xxxx,xx,sigxxx</query>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>


<panel>
  <table>
    <titlesssE</title>
    <search>
      <query>index=sss | eval est_time=strftime(_time, "%Y-%d-%m %H:%M") |stats values(ss) as "Action" ,values(ss1) as "sss",values(ssss),values(css) as URL,values(ssr) as "Source User",values(sssr) as "eeer",values(eert),values(eee),values(seec)  by eeee</query>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>


<panel>
  <chart>
0 Karma

gokadroid
Motivator

Here is a sample code of a dashobard which refreshes every 15 secs in Splunk 6.4.2 irrespective of however many panels it has. My example has three panels and doesn't need each query refresh but only <dashboard refresh="15"> at the top:

<dashboard refresh="15">
  <label>timer</label>
  <row>
    <panel>
      <table>
        <title>Panel 1</title>
        <search>
          <query>| makeresults | eval abc=relative_time(now(), "-1s") | table abc</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>Panel 2</title>
        <search>
          <query>| makeresults | eval abc=relative_time(now(), "-2s") | table abc</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>Panel 3</title>
        <search>
          <query>| makeresults | eval abc=relative_time(now(), "+1s") | table abc</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
      </table>
    </panel>
  </row>
</dashboard>

If you happen to have <form>...</form> use it refresh="15" similarly like it is used in dashboard above <form refresh="15">...</form>

Same should work in 6.5.0.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...