- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Flash Timeline in view for SavedSearch
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm having trouble getting a flash timeline to populate with the results of a saved query in a view I'm trying to make. Is this possible? I've gotten it to work just fine for inline searches.
Here's my view xml:
<?xml version='1.0' encoding='utf-8'?>
<view template="dashboard.html">
<label>Month to Date - Purchases vs. Trials</label>
<module name="AccountBar" layoutPanel="appHeader" />
<module name="AppBar" layoutPanel="navigationHeader" />
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="HiddenSavedSearch" group="Total Downloads from TSC Store Purchases" layoutPanel="panel_row1_col1">
<param name="savedSearch">Downloads from TSC Store Purchases - Month to Date</param>
<param name="useHistory">True</param>
<module name="JobProgressIndicator"/>
<module name="ResultsHeader">
<param name="entityName">events</param>
<param name="entityLabel">downloads</param>
<module name="HiddenChartFormatter">
<param name="chart">pie</param>
<param name="charting.chart.sliceCollapsingThreshold">0.01</param>
<param name="charting.chart.sliceCollapsingLabel">Other</param>
<module name="FlashChart">
<param name="height">250px</param>
<param name="width">99%</param>
<param name="enableResize">False</param>
</module>
</module>
<module name="ShowHideHeader">
<param name="hideChildrenOnLoad">true</param>
<param name="label">All Results</param>
<param name="mode">serializeAll</param>
<module name="SimpleResultsTable" />
</module>
<module name="FlashTimeline">
<param name="renderer">auto</param>
<param name="maxBucketCount">1000</param>
<param name="enableResize">false</param>
<param name="height">250px</param>
<param name="width">99%</param>
</module>
</module>
</module>
</view>
Not sure why, but the flash timeline just isn't populating.
Can anyone shed some light on this for me? Any help is much appreciated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem I think stems from the following sequence of facts
1) that your saved search is scheduled
2) that <param name="useHistory">auto</param> means that the HiddenSavedSearch will load the most recently scheduled search results,
3) that when searches are run by the scheduler they are by default run with status_buckets set to 0
4) The FlashTimeline basically needs the 'status buckets' to render itself.
If a search is kicked off with status_buckets set to 300, then there will be a lot of buckets (less than 300 generally), and if it's set to 1, then there will only be one giant bucket on FlashTimeline, and if it is set to 0, there will no bucket in your FlashTimeline at all - only an empty chart.
Solution 1:
You can edit the stanza for your savedsearch in savedsearches.conf and add this key:
dispatch.buckets = 300
Solution 2:
Change the Config so that useHistory is set to False. This will mean that the search is kicked off ad-hoc in the UI itself, and the UI will notice that the FlashTimeline module is there and dispatch the search with sufficient status buckets.
Note when considering both of these options that raising status_buckets has a significant effect on search efficiency.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem I think stems from the following sequence of facts
1) that your saved search is scheduled
2) that <param name="useHistory">auto</param> means that the HiddenSavedSearch will load the most recently scheduled search results,
3) that when searches are run by the scheduler they are by default run with status_buckets set to 0
4) The FlashTimeline basically needs the 'status buckets' to render itself.
If a search is kicked off with status_buckets set to 300, then there will be a lot of buckets (less than 300 generally), and if it's set to 1, then there will only be one giant bucket on FlashTimeline, and if it is set to 0, there will no bucket in your FlashTimeline at all - only an empty chart.
Solution 1:
You can edit the stanza for your savedsearch in savedsearches.conf and add this key:
dispatch.buckets = 300
Solution 2:
Change the Config so that useHistory is set to False. This will mean that the search is kicked off ad-hoc in the UI itself, and the UI will notice that the FlashTimeline module is there and dispatch the search with sufficient status buckets.
Note when considering both of these options that raising status_buckets has a significant effect on search efficiency.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your response.
It appears that the FlashTimechart module only populates for searches that aren't using stored results (meaning the search should run when the page loads). I ended up just creating a saved search that timecharts count(events) on a per_hour() basis. All is right as rain.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
