Can you help me with a dashboard based on reports ...

patrycja · ‎01-09-2019

Hello,

I created a simple dashboard with some panels taking data from the index. It was taking a long time to load, so I created a scheduled report and converted all panel queries to load data from that report using loadjob savedsearch="hackathon:search:BaseSearch" events=true command.

My idea was to create a report which takes logs from "All time" and then adds a time filter to the dashboard to allow a user to get what he wants.

My problem is that the time picker on my dashboard doesn't affect panels. It was working correctly with queries taking data from the index, but is not working with queries taking data from the report. I literally took the same panel and just switched the data source in the query. All other filters work. The problem is only with the time picker.

I was trying different things already to make it work:

Adding
< earliest>$input_time.earliest$< /earliest> < latest>$input_time.latest$< /latest> in the panel source ( input_time is my time picker's token). It doesn't change anything.
Changing time range in the query setting
Shared time picker - was working with panels before changing to report. Now it is not.
Use time picker - this is not what I want.
Tokens - can't set it up, every time when I set it and click apply, it magically returns to its previous setting when opened again.
Global - doesn't work
Adding time filtering in query | eval timestamp_epoch = strptime(Timestamp, "%Y-%m-%dT%H:%M:%S.%3N%z") | where timestamp_epoch>relative_time(now(),"$input_time.earliest$") And this partially works! But, I still have some issues with it. It only allows me to filter by the beginning of the time period using input_time.earliest. When I want to use input_time.latest ( where timestamp_epoch < relative_time(now(),"$input_time.latest$") ), the query return no results. There obviously is some data, so that the query should return something. The second issue is that I can use only time ranges like "24 hours ago", "7 days ago", "... ago". When I try to set the time, for example from Jan 1st to Jan 5th, it shows an error: I think that Splunk doesn't know which "file" (or whatever structure it has) with data it should take, because one report is generating a new set of data every hour (report is scheduled to run once per hour).

Any idea how to make panels from report work with time picker?

bhavikbhalodia · ‎01-11-2019

Hi Patrycja,

You can create a datamodel which takes data from an index and reindex them. And after when you try to fetch data from datamodel at that time you can get a result more quickly. And you can apply the time range to search when you try to fetch data from datamodel.

Thanks,
Bhavik

gcusello · ‎01-09-2019

Hi patrycja,
I think that you should explore summaries: in other words: you have to run your report query with the same schedule you have, but at the end of the query use collect or tscollect commands to sore results in a summary index, then you can run your searches on this index and have a very performant search that you can filter using the fields you have.

Bye.
Giuseppe

patrycja · ‎01-09-2019

Good idea, but right now I don't have permissions to create an index. Is there any other way?

gcusello · ‎01-09-2019

you don't need to create an index, you can use the default summary index (summary) if you use the collect command, or a dedicated namespace if you use the tscollect command.
Bye.
Giuseppe

gcusello · ‎07-31-2019

Hi patrycja,
if you're satisfied by this answer, please accept and/or upvote it.

Bye, see next time.
Giuseppe

Can you help me with a dashboard based on reports that are filtering by time?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM