- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Real time dasboard and Saved Search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Real time dasboard and Saved Search
Can I use a Saved Search in a dashboard and display it in Real Time?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. Just make sure when you save that search have the time range set to Real-Time and the desired window of time you want. If an existing search and you want to change the time range just go into manager - searches & reports - select the search and under Start Time you should have something like rt-1m and under Finish Time: rt.
Then you can build a simple dashboard and use that saved search. Here is a link on building simple dashboards.
http://www.splunk.com/base/Documentation/latest/User/CreateSimpleDashboards
Travis.
Ok this sounds like you should try building an advanced dashboard.
http://www.splunk.com/base/Documentation/4.1.3/Developer/AdvancedDashboard
Below is an example of what I think you could use. This will give you a TimeRange picker that will control the SavedSearch. Let me know if this helps.
<view template="dashboard.html" refresh="600">
<label>Title</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module><!-- /message/AppBar/AccountBar -->
<module name="TimeRangePicker" layoutPanel="panel_row1_col1">
<param name="searchWhenChanged">True</param>
<module name="HiddenSavedSearch" layoutPanel="panel_row1_col1" group="Title" autoRun="true">
<param name="savedSearch">(your saved search here)</param>
<module name="Paginator">
<param name="count">10</param>
<param name="entityName">results</param>
<param name="maxPages">10</param>
<module name="SimpleResultsTable">
</module><!-- /SimpleResultsTable -->
</module><!-- /Paginator-->
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
<param name="popup">True</param>
</module><!-- /ViewRedirectorLink-->
</module><!-- /HiddenSavedSearch -->
</module><!-- /TimeRangePicker -->
</view>
Travis.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try throwing a
If nothing else you could always clone/copy the saved search and use that copy to run your dashboard.
Travis.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Travis. It seems to work fine exect I get a big red rubbon error: "Configuration error - HiddenSavedSearch has both parent modules like TimeRangePicker, and also a dispatched job from the scheduler."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hell Travis, the problem is that we need also to schedule this search for report delivery. If a use rt, I cannot schedule it. Do you know if there is a way in a dashboard to have the parameters take precedence over the one in the Saved Search?
Introducing the Splunk Community Dashboard Challenge!
Wondering How to Build Resiliency in the Cloud?
Updated Data Management and AWS GDI Inventory in Splunk Observability
