All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Internal logs post search * for dashboard refresh

pradeepkumarg
Influencer
‎07-11-2013 07:07 PM

When a user keeps a dashboard/view which has auto refresh open, the internal logs(_internal) will have search * as an entry in sourcetype=searches against that user each time the dashboard get refreshed(Query that is being used in dashboard is not just *)

Is there a way to avoid this or to differentiate the actual search query when the user just types * in search bar(flash timeline)?

Here is my xml



  
  
  
  
  
    *
    False
    1
  
  
    splunk.search.job
    True
    1
    warn
  
  
        
     
    <script type="text/javascript">
      <!--
        var timeoutPeriod=120000;
        var interval = setInterval(refreshPage, timeoutPeriod);
        function refreshPage() {
            if ($$("input[name=autoRefreshCheckboxes]").is(":checked")) {
                location.reload(true);
            }
        } 
      //-->
    </script>
      
    <div style="float:left">
      <h2>Summary</h2>
    </div>
    <div style="float:right">  
      Auto-Refresh: <input type="checkbox" name="autoRefreshCheckboxes" checked="true">  
    </div>
  
  
    True
    
      True
      ACTIVE_DARK
      left
      Active Pod
      ACTIVE
      DARK
      
        $ACTIVE_DARK$
        True
        
          
            events_app_a
            auto            
            
              200
              none
              off              
              
                $click.fields.row 5$
                false
                $click.name2$
              
            
            
              <div class="TimeRange">      
       ACTIVE PODS - Results $results.timeRange.label$
      </div>
            
          
          
            top_reason
            auto            
            
              12
              none
              off
            
          
        
        
          
            events_app_a_dark
            auto            
            
              200
              none
              off              
              
                $click.fields.row 5$
                false
                $click.name2$
              
            
            
              <div class="TimeRange">
       DARK PODS - Results $results.timeRange.label$
      </div>
            
                    
          
            top_reason_dark
            auto            
            
              12
              none
              off
            
          
        
      
        
    
      eventS_app_b
      auto
      
      
        100
        none
        off
        
          $click.fields.row 5$
          false
          $click.name2$
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎07-14-2013 03:33 AM

OK. Just remove this param from your Switcher module: 

<param name="requiresDispatch">True</param>

Just delete it entirely. That param is forcing a dispatch right where the Switcher is, and since there's neither a search nor a savedsearch defined upstream from that point, the framework is dispatching a "*" search over all time. Remove that one param and this dispatched search will go away. Also the removal thereof will not have any other effect on anything that I can see.

You're already using Sideview Utils 2.X (looking at your module config), and I think after this experience, you'll get a greater understanding by re-reading the "Introduction to Advanced XML" page, aka "framework_intro". It casts light onthe upstream/downstream module definition, as well as the "how/when/where/why does the Splunk UI framework dispatch searches" question.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎07-14-2013 03:33 AM

OK. Just remove this param from your Switcher module: 

<param name="requiresDispatch">True</param>

Just delete it entirely. That param is forcing a dispatch right where the Switcher is, and since there's neither a search nor a savedsearch defined upstream from that point, the framework is dispatching a "*" search over all time. Remove that one param and this dispatched search will go away. Also the removal thereof will not have any other effect on anything that I can see.

You're already using Sideview Utils 2.X (looking at your module config), and I think after this experience, you'll get a greater understanding by re-reading the "Introduction to Advanced XML" page, aka "framework_intro". It casts light onthe upstream/downstream module definition, as well as the "how/when/where/why does the Splunk UI framework dispatch searches" question.

Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎07-15-2013 08:07 AM

Thanks so much.. This worked 🙂

0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎07-13-2013 08:26 PM

I've pasted my xml/view

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎07-12-2013 10:58 PM

Can you post or pastebin the XML of the view? I've seen this happen several times and each case it was from the dashboard's author not fully understanding where and how the Splunk UI kicks off it's searches. By rearranging the XML we were always able to get the "*" searches to go away and I strongly suspect we can do the same thing here.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...