All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Internal logs post search * for dashboard refresh

pradeepkumarg
Influencer
‎07-11-2013 07:07 PM

When a user keeps a dashboard/view which has auto refresh open, the internal logs(_internal) will have search * as an entry in sourcetype=searches against that user each time the dashboard get refreshed(Query that is being used in dashboard is not just *)

Is there a way to avoid this or to differentiate the actual search query when the user just types * in search bar(flash timeline)?

Here is my xml



  
  
  
  
  
    *
    False
    1
  
  
    splunk.search.job
    True
    1
    warn
  
  
        
     
    <script type="text/javascript">
      <!--
        var timeoutPeriod=120000;
        var interval = setInterval(refreshPage, timeoutPeriod);
        function refreshPage() {
            if ($$("input[name=autoRefreshCheckboxes]").is(":checked")) {
                location.reload(true);
            }
        } 
      //-->
    </script>
      
    <div style="float:left">
      <h2>Summary</h2>
    </div>
    <div style="float:right">  
      Auto-Refresh: <input type="checkbox" name="autoRefreshCheckboxes" checked="true">  
    </div>
  
  
    True
    
      True
      ACTIVE_DARK
      left
      Active Pod
      ACTIVE
      DARK
      
        $ACTIVE_DARK$
        True
        
          
            events_app_a
            auto            
            
              200
              none
              off              
              
                $click.fields.row 5$
                false
                $click.name2$
              
            
            
              <div class="TimeRange">      
       ACTIVE PODS - Results $results.timeRange.label$
      </div>
            
          
          
            top_reason
            auto            
            
              12
              none
              off
            
          
        
        
          
            events_app_a_dark
            auto            
            
              200
              none
              off              
              
                $click.fields.row 5$
                false
                $click.name2$
              
            
            
              <div class="TimeRange">
       DARK PODS - Results $results.timeRange.label$
      </div>
            
                    
          
            top_reason_dark
            auto            
            
              12
              none
              off
            
          
        
      
        
    
      eventS_app_b
      auto
      
      
        100
        none
        off
        
          $click.fields.row 5$
          false
          $click.name2$
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎07-14-2013 03:33 AM

OK. Just remove this param from your Switcher module: 

<param name="requiresDispatch">True</param>

Just delete it entirely. That param is forcing a dispatch right where the Switcher is, and since there's neither a search nor a savedsearch defined upstream from that point, the framework is dispatching a "*" search over all time. Remove that one param and this dispatched search will go away. Also the removal thereof will not have any other effect on anything that I can see.

You're already using Sideview Utils 2.X (looking at your module config), and I think after this experience, you'll get a greater understanding by re-reading the "Introduction to Advanced XML" page, aka "framework_intro". It casts light onthe upstream/downstream module definition, as well as the "how/when/where/why does the Splunk UI framework dispatch searches" question.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎07-14-2013 03:33 AM

OK. Just remove this param from your Switcher module: 

<param name="requiresDispatch">True</param>

Just delete it entirely. That param is forcing a dispatch right where the Switcher is, and since there's neither a search nor a savedsearch defined upstream from that point, the framework is dispatching a "*" search over all time. Remove that one param and this dispatched search will go away. Also the removal thereof will not have any other effect on anything that I can see.

You're already using Sideview Utils 2.X (looking at your module config), and I think after this experience, you'll get a greater understanding by re-reading the "Introduction to Advanced XML" page, aka "framework_intro". It casts light onthe upstream/downstream module definition, as well as the "how/when/where/why does the Splunk UI framework dispatch searches" question.

Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎07-15-2013 08:07 AM

Thanks so much.. This worked 🙂

0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎07-13-2013 08:26 PM

I've pasted my xml/view

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎07-12-2013 10:58 PM

Can you post or pastebin the XML of the view? I've seen this happen several times and each case it was from the dashboard's author not fully understanding where and how the Splunk UI kicks off it's searches. By rearranging the XML we were always able to get the "*" searches to go away and I strongly suspect we can do the same thing here.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...