- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Changing time range in Saved Report utilized in Da...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Changing time range in Saved Report utilized in Dashboard
We created saved reports that have been scheduled to run over night (Range=Last 24 hours). These saved reports are utilized by dashboards through base searches.
We want to be able to change the time range of the report in the dashboard so its not always displaying the results gathered in the last 24 hours. Right now, whenever we changed the time picker in the dashboard, the results stay the same.
<form>
<label>Title</label>
<description>Description</description>
<search id="base_search" ref="BaseSearch-SavedReport">
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<fieldset submitButton="false" autoRun="True">
<input type="time" token="field1" searchWhenChanged="true">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<title>TITLE</title>
<search base="base_search">
<query>| stats sparkline count by host | sort -count</query>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">heatmap</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">true</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
</panel>
<panel>
<table>
<title>TITLE</title>
<search base="base_search">
<query>| stats sparkline count by dest | sort -count</query>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">heatmap</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">true</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do that, but unless you carefully control it, you are going to cause yourself many headaches if you go down that route.
Basically, if you keep the dashboard based on a saved report, there is very little load on the indexers. If you allow the users to wander off the saved report, then you are running new searches for real. How many users do you want doing that?
The most obvious architecture to get you where you want to go is to have dropdowns that allow the user to select the base search, which could be any of a limited range of saved searches that you have devised and scheduled.
That's not tough to do, and once you learn how to do it it doesn't require a lot of maintenance, except when you add or remove options. Here's one example...
https://answers.splunk.com/answers/341223/how-to-load-a-scheduled-report-in-a-dashboard-pane.html
If you stick to a single savedsearch, and just give them a choice to select prior versions of it, then you can have the base search using loadjob with artifact_offset=N (where N is however many prior generations back you want).
http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Loadjob
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
