Splunk Search

Modifying timechart's span based on selected range

bojanz
Communicator

Hi,

I want to have different span values depending on selected time range. For example, if the user selected up to 15 minutes, span should be 5s, 15 minutes to 4 hours - 10m, 4 hours to 24 hours - 1h and over that 1d.

I've been using the time hack macro I've seen in the web intelligence app to define index I want to search and this works nicely, however when I embed the timechart command into the macro it fails with a weird error: DISPATCHCOMM_RP_FAIL

The macro I used looks like this:

[mymacro(2)]
args = arg1, arg2
definition = [stats count | addinfo | eval range=info_max_time - info_min_time | eval search=case(range<=960, "mysearch | timechart span=5s sum(field)", range>960 AND range<=90000, "..... | timechart span=10m sum(field)")]

I also tried calling a macro from a macro but it didn't work.

Is there a way to get variable span in the timechart function, depending on the selected range?

Tags (2)
1 Solution

sideview
SplunkTrust
SplunkTrust

The main thing going on here is that you cannot output whole commands and sequences of pipe-separated commands from a subsearch. Subsearches can only yield out arguments to single commands.

Then the second thing going on, is that ordinarily there's a quite helpful message to tell you about this. And something here is preventing the normal helpful message from appearing here, and instead you're getting the "DISPATCHCOMM_RP_FAIL" error. I would guess it's because the lack of any other terms in the initial command confuses the search parser.

Anyway, you can run this similar but different search. Note the star and pipe in the outer expression. It's also an invalid search but you'll get a more informative error:

* | [stats count | addinfo | eval range=info_max_time - info_min_time | eval search=case(range<=960, "mysearch | timechart span=5s sum(field)", range>960 AND range<=90000, "..... | timechart span=10m sum(field)")]

Running that one will give you this error: Subsearches are only valid as arguments to commands.

So now that you know that, all you have to do is rework it so that your subsearch passes out arguments to timechart instead of the whole timechart command.

* | timechart [stats count | addinfo | eval range=info_max_time - info_min_time | eval search=case(range<=960, "span=5s count", range>960 AND range<=90000, "span=10m count", 1==1, " count")]

Works like a charm.

View solution in original post

sideview
SplunkTrust
SplunkTrust

The main thing going on here is that you cannot output whole commands and sequences of pipe-separated commands from a subsearch. Subsearches can only yield out arguments to single commands.

Then the second thing going on, is that ordinarily there's a quite helpful message to tell you about this. And something here is preventing the normal helpful message from appearing here, and instead you're getting the "DISPATCHCOMM_RP_FAIL" error. I would guess it's because the lack of any other terms in the initial command confuses the search parser.

Anyway, you can run this similar but different search. Note the star and pipe in the outer expression. It's also an invalid search but you'll get a more informative error:

* | [stats count | addinfo | eval range=info_max_time - info_min_time | eval search=case(range<=960, "mysearch | timechart span=5s sum(field)", range>960 AND range<=90000, "..... | timechart span=10m sum(field)")]

Running that one will give you this error: Subsearches are only valid as arguments to commands.

So now that you know that, all you have to do is rework it so that your subsearch passes out arguments to timechart instead of the whole timechart command.

* | timechart [stats count | addinfo | eval range=info_max_time - info_min_time | eval search=case(range<=960, "span=5s count", range>960 AND range<=90000, "span=10m count", 1==1, " count")]

Works like a charm.

bojanz
Communicator

Great, thanks for this!

I found another way in the mean time too - the Web intelligence application has a very nice custom module called HiddenSearchSwapper that allows you to setup different searches for different time ranges.

So you can just use this module, set time ranges and populate searches you want to be used depending on the selected time range.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...