Re: refresh.auto.interval not working

johnraftery · ‎01-15-2016

Hi, I use a drop-down menu to set the refresh.auto.interval for a table:

<panel>
  <title>Real-Time Stats</title>
  <input type="dropdown" token="refresh_interval" searchWhenChanged="true">
    <label>Panel Refresh Override</label>
    <choice value="5">5 seconds</choice>
    <choice value="60">1 Minute</choice>
    <choice value="300">5 Minutes</choice>
    <default>300</default>
  </input>
  <table>
    <search>
      <query>eventtype=mlc2 sourcetype=tps | stats avg(duration) as average, count(duration) as count, stdev(duration) as stdev, median(duration) as median, perc95(duration) as perc95, perc99.5(duration) as perc99.5, min(duration) as min, max(duration) as max, earliest(_time) as start, latest(_time) as stop by operationIdentity</query>
      <earliest>$selection.earliest$</earliest>
      <latest>$selection.latest$</latest>
    </search>
    <option name="refresh.auto.interval">$refresh_interval$</option>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="list.drilldown">full</option>
    <option name="list.wrap">1</option>
    <option name="maxLines">5</option>
    <option name="raw.drilldown">full</option>
    <option name="table.drilldown">all</option>
    <option name="table.wrap">1</option>
    <option name="type">list</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>

But it seems like the value is not taken into account; when viewing the table in real-time mode (eg 1 hour window), the table continuously refreshes, so it is quite hard to read.

Thanks,
John Raftery

bowesmana · ‎03-17-2016

Hi John,

I have what sounds like the same issue. I have a control panel that has the pan/zoom support, which passes onto other panels. Great to non RT dashboards, but RT has the continual refresh. I was trying to solve this with auto-sensing RT or non RT dashboards, so that in RT I could use the time picker time, rather than the zoom time, which never changes for RT. See https://answers.splunk.com/answers/379538/conditionally-set-search-time-range-depending-on-r.html

If you've found a solution can you share.
Cheers
Antony

johnraftery · ‎04-05-2016

Hi Antony, thanks for this, it sounds like we have the same problem. I haven't found any solution that gives me what I'm after. Have you?

chimell · ‎01-18-2016

hi johnraftery
you can use manually thsi option :
- Go in the bottom of your panel and click on :
-

gyslainlatsa · ‎01-15-2016

No johnraftery,

remove

<option name="refresh.auto.interval">10</option>

and write something like this

<dashboard refresh="10">
<panel>
    <table>
      <search>
        <query>|stats count |eval Time=now()|convert ctime(Time) as Time</query>
        <earliest>rt-1h</earliest>
        <latest>rtnow</latest>
      </search>
      <option name="wrap">true</option>
    </table>
 </panel>
 </dashboard>

johnraftery · ‎01-15-2016

I'm getting an XML error for this:

XML Syntax Error: Row, on line=381, contains unknown node=dashboard on line=382.

Are you allowed have a dashboard tag inside a row tag? This is what I have:

< form script="table_cell_highlighting.js" stylesheet="table_cell_highlighting.css,single_decorations.css">
...
< row>
< dashboard refresh="30">
< panel>
...

johnraftery · ‎01-15-2016

Are you suggesting I use < dashboard> instead of < form>?

gyslainlatsa · ‎01-15-2016

no, try put the refresh="30" in your < form> like this:

< form refresh="30">

or following this link:

https://answers.splunk.com/answers/24238/dashboard-automatic-refresh.html

johnraftery · ‎01-15-2016

Ah, I see. This isn't what I'm looking for - I don't want the whole dashboard to refresh periodically, I only want one panel to refresh.

gyslainlatsa · ‎01-15-2016

no, you can not use < dashboard refresh="30"> in the < form > tag

johnraftery · ‎01-15-2016

Ok, so what do you mean then?

gyslainlatsa · ‎01-15-2016

hi johnraftery,

You're using the Simplified XML, for example put the refresh="30" inside your tag, like this:

<dashboard refresh="30">
------
-------
-------

 </dashboard>

for more information, try following this link:

https://answers.splunk.com/answers/24238/dashboard-automatic-refresh.html

johnraftery · ‎01-15-2016

Where should the dashboard tag go? Do you mean something like this?

 <panel>
   <dashboard refresh="30">
   <table>
     <search>
       <query>|stats count |eval Time=now()|convert ctime(Time) as Time</query>
       <earliest>rt-1h</earliest>
       <latest>rtnow</latest>
     </search>
     <option name="wrap">true</option>
     <option name="refresh.auto.interval">10</option>
   </table>
   </dashboard>
 </panel>

renjith_nair · ‎01-15-2016

Token might not work in options though it works in Title. You might need to give an appropriate seconds value directly

---
What goes around comes around. If it helps, hit it with Karma 🙂

johnraftery · ‎01-15-2016

Thanks, I already tried hardcoding a value like 60, but it didn't seem to take effect.

renjith_nair · ‎01-15-2016

Strange, below works fine for me

<form>
  <label>TEST</label>
  <row>
    <panel>
      <table>
        <search>
          <query>|stats count |eval Time=now()|convert ctime(Time) as Time</query>
          <earliest>rt-1h</earliest>
          <latest>rtnow</latest>
        </search>
        <option name="wrap">true</option>
        <option name="refresh.auto.interval">10</option>
      </table>
    </panel>
  </row>
</form>

Do you have dashboard refresh enabled ie ; entire dashboard?

---
What goes around comes around. If it helps, hit it with Karma 🙂

johnraftery · ‎01-15-2016

Good question. How would I enable dashboard refresh?

renjith_nair · ‎01-15-2016

Do you mind pasting the complete xml after masking your sensitive data ?

---
What goes around comes around. If it helps, hit it with Karma 🙂

johnraftery · ‎01-18-2016

Sure

<form script="table_cell_highlighting.js" stylesheet="table_cell_highlighting.css,single_decorations.css">
  <label>CONSULTANT_VIEW_LIVE_DEV</label>
  <description>A high level view for consultants</description>
  <fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="host_token" searchWhenChanged="true">
      <label>Data Source:</label>
      <search>
        <query>| metadata type=hosts index=mlc_demo and index=mlc_live | fields host</query>
        <earliest>0</earliest>
      </search>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <default>SPLUNK_DEMO</default>
      <prefix>host=</prefix>
    </input>
    <input type="time" token="time_token" searchWhenChanged="true">
      <label>Reports Time Picker</label>
      <default>
        <earliest>-4d@d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="checkbox" token="TPS_ON_OFF" searchWhenChanged="true">
      <choice value="ON">ON</choice>
      <default>ON</default>
    </input>
  </fieldset>
  <row>
    <panel depends="$TPS_ON_OFF$">
      <title>TPS + LTS</title>
      <input type="checkbox" token="CPU_OVERLAY" searchWhenChanged="true">
        <choice value=" OR 1=1">ON</choice>
        <default>"where 1=2"</default>
      </input>
      <input type="checkbox" token="MLC_GC_OVERLAY" searchWhenChanged="true">
        <choice value=" OR 1=1">ON</choice>
        <default>"where 1=2"</default>
      </input>
      <chart>
        <search>
          <query>eventtype=mlc2 sourcetype=tps $host_token$ | where match(operationIdentity, "^[A-Z]") OR operationIdentity="buildCompilation" OR operationIdentity="commitXA" | eval value = endTime - startTime | rename operationIdentity as series | table _time series value | append [ search eventtype=mlc2 sourcetype=lts_timings $host_token$ | eval end_timestamp=strptime(end,"%Y-%m-%d %H:%M:%S") | eval end_event=mvappend("",end_timestamp.",".series."_STOP,".value,"") | eval series = series."_START" | mvexpand end_event | rex field=end_event "(?&lt;_time&gt;[^,]+),(?&lt;series&gt;[^,]+),(?&lt;value&gt;[^,]+)" | table _time series value ] | append [ search eventtype=mlc2 sourcetype=vmstat-linux $host_token$ | $CPU_OVERLAY$ | rex field=source "/(?&lt;source_short&gt;[^/]+).{24}$" | rename cpu_used as value | table _time series value ] | append [ search eventtype=mlc2 sourcetype=sun_jvm $host_token$ service_name=*mlc*.gc.log | $MLC_GC_OVERLAY$ | eval series = "CMS" | eval value=if(isnotnull(cms_reset),1,null) | table _time series value ] | append [ search eventtype=mlc2 sourcetype=sun_jvm $host_token$ service_name=*mlc*.gc.log | $MLC_GC_OVERLAY$ | eval series = "FULL GC" | eval value=if(isnotnull(full_gc),1,null) | table _time series value ] | eventstats max(value) as top | eval value=if((series="CMS" OR series="FULL GC") AND value=1,top,value) | timechart bins=2000 max(value) by series limit=0</query>
          <earliest>$time_token.earliest$</earliest>
          <latest>$time_token.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">1</option>
        <option name="charting.axisY2.scale">linear</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisStart</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.data.count">20000</option>
        <option name="charting.chart.resultTruncationLimit">20000</option>
        <option name="charting.axisTitleX.text">Time</option>
        <option name="charting.axisTitleY.text">TPS Time (ms)</option>
        <option name="charting.axisTitleY2.text">CPU usage (%)</option>
        <option name="charting.axisY2.minimumNumber">0</option>
        <option name="charting.axisY2.maximumNumber">100</option>
        <option name="height">590</option>
        <selection>
          <set token="selection.earliest">$start$</set>
          <set token="selection.latest">$end$</set>
        </selection>
      </chart>
    </panel>
  </row>
  <row>
    <panel refresh="30" depends="$TPS_ON_OFF$">
      <title>MLC Real-Time Stats (for the time-period selected in the chart above)</title>
      <input type="dropdown" token="refresh_interval" searchWhenChanged="true">
        <label>Panel Refresh Override</label>
        <choice value="5">5 seconds</choice>
        <choice value="60">1 Minute</choice>
        <choice value="300">5 Minutes</choice>
        <default>300</default>
      </input>
      <table>
        <search>
          <query>eventtype=mlc2 sourcetype=tps $host_token$ | where match(operationIdentity, "^[A-Z]") OR operationIdentity="buildCompilation" OR operationIdentity="commitXA" | eval duration = endTime - startTime | stats avg(duration) as average, count(duration) as count, stdev(duration) as stdev, median(duration) as median, perc95(duration) as perc95, perc99.5(duration) as perc99.5, min(duration) as min, max(duration) as max,earliest(_time) as start, latest(_time) as stop by operationIdentity  | eval average = round(average, 1) | eval time_slice_per_min = (stop-start)/60 | eval Throughput_per_minute= count/time_slice_per_min | eval stdev = round(stdev, 1) | rename operationIdentity as operation_identity | sort operationIdentity | fields - stop - start - time_slice_per_min</query>
          <earliest>$selection.earliest$</earliest>
          <latest>$selection.latest$</latest>
        </search>
        <option name="refresh.auto.interval">60</option>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
        <drilldown>
          <set token="dummy_token">0</set>
        </drilldown>
      </table>
    </panel>
  </row>
</form>

renjith_nair · ‎01-18-2016

Please remove refresh=30 from though it's not affecting anything. It doesn't do anything as well. I have tried your last panel by changing the search to mine and it's working as expected.
Can you just open this dashboard in a new browser window and try? Try creating a test dashboard with the refreshing panel only and try as well.

---
What goes around comes around. If it helps, hit it with Karma 🙂

johnraftery · ‎01-18-2016

Thanks, I've given that a go, no luck unfortunately. In the past I've found that sometimes having an append in the search can affect the real-time behaviour. Do you think that might be the case here?

refresh.auto.interval not working

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...