All Apps and Add-ons

Sideviews Search with a subsearch to define the gauge range

guilmxm
SplunkTrust
SplunkTrust

Hi,

I am managing 2 Splunk applications. (Splunk for Netfilter Iptables,Splunk for Fail2ban)

I would like to convert a search into a sideview search (V2.x version):

          <module name="HiddenSearch" layoutPanel="panel_row2_col2">
            <param name="search">
`iptables_index` `iptables_src` | bucket _time span=5m | stats count by _time | stats sum(count) as count by _time
| sort - count | head 1 | fields - _time | gauge count [search `iptables_index` `iptables_src` earliest=-24h@h latest=-1h@h | bucket _time span=5m 
| stats count by _time | stats mean(count) as mean | eval first=0 | eval second=mean*4 | eval third=mean*6 
| eval fourth=mean*8 | eval second=round(second,0) | eval third=round(third,0) | eval fourth=round(fourth,0) 
| eval range=first+" "+second+" "+third+" "+fourth | return $range]
            </param>

I need to use a side view Search to be able to use my $Span$ instead of a static value (defines by a macro and downstreamed with ResultsValueSetter)

Therefore, each time i try to do so, this doesn't work, with a "[" missing message (if i let $range with only one $) or Error in 'return' command: command="return", Usage: [count] attr, $attrval, alias=attr, ...

I am trying to use:

          <module name="Search" layoutPanel="panel_row2_col2">
            <param name="search">
`iptables_index` `iptables_src` | bucket _time span=$Span$ | stats count by _time | stats sum(count) as count by _time
| sort - count | head 1 | fields - _time | gauge count [search `iptables_index` `iptables_src` earliest=-24h@h latest=-1h@h | bucket _time span=$Span$ 
| stats count by _time | stats mean(count) as mean | eval first=0 | eval second=mean*4 | eval third=mean*6 
| eval fourth=mean*8 | eval second=round(second,0) | eval third=round(third,0) | eval fourth=round(fourth,0) 
| eval range=first+" "+second+" "+third+" "+fourth | return $range]
            </param>

Or:

          <module name="Search" layoutPanel="panel_row2_col2">
            <param name="search">
`iptables_index` `iptables_src` | bucket _time span=$Span$ | stats count by _time | stats sum(count) as count by _time
| sort - count | head 1 | fields - _time | gauge count [search `iptables_index` `iptables_src` earliest=-24h@h latest=-1h@h | bucket _time span=$Span$ 
| stats count by _time | stats mean(count) as mean | eval first=0 | eval second=mean*4 | eval third=mean*6 
| eval fourth=mean*8 | eval second=round(second,0) | eval third=round(third,0) | eval fourth=round(fourth,0) 
| eval range=first+" "+second+" "+third+" "+fourth | return $range$]
            </param>

Indeed the problem only occurs when i try to define the gauge range using a subsearch, could i guess be related to:
http://splunk-base.splunk.com/answers/79518/problem-with-subsearch-returning-value-and-sideview-util...

The goal of my search is to define the peak load with the same bin value being used by the previous charting search and dynamicaly define the gauge range value. (o problem with my search using Side view if i set statically the gauge range)

Here is all the current code (with the search in question not using sideview search):

          <module name="Search" layoutPanel="panel_row2_col1">
            <param name="search">
              `iptables_index` `iptables_src` | timechart span=$Span$ count as Denied_Connections by iptables_host
            </param>

            <module name="HTML">
              <param name="html"><![CDATA[
              <h3>Alert Trend: Denied connections by Iptables reporting host (per $Showspan$ time window)</h3>
              ]]></param>

            </module>

            <module name="HiddenFieldPicker">
              <param name="strictMode">True</param>
              <module name="JobProgressIndicator">
                <module name="EnablePreview">
                  <param name="display">False</param>
                  <param name="enable">True</param>
                  <module name="HiddenChartFormatter">
                    <param name="charting.chart.stackMode">stacked</param>
                    <param name="charting.legend.placement">bottom</param>
                    <param name="charting.chart">area</param>
                    <param name="charting.axisTitleX.text">Time</param>
                    <param name="charting.axisTitleY.text">Denied connections</param>
                    <module name="JSChart">
                      <param name="width">100%</param>
                      <param name="height">250px</param>
                      <module name="ConvertToDrilldownSearch">
                        <module name="ViewRedirector">
                          <param name="viewTarget">flashtimeline</param>
                        </module>
                      </module>
                    </module>
                    <module name="ViewRedirectorLink">
                      <param name="viewTarget">flashtimeline</param>
                    </module>
                  </module>
                </module>
              </module>
            </module>    

          </module> <!-- Search -->


          <module name="HiddenSearch" layoutPanel="panel_row2_col2">
            <param name="search">
`iptables_index` `iptables_src` | bucket _time span=5m | stats count by _time | stats sum(count) as count by _time
| sort - count | head 1 | fields - _time | gauge count [search `iptables_index` `iptables_src` earliest=-24h@h latest=-1h@h | bucket _time span=5m 
| stats count by _time | stats mean(count) as mean | eval first=0 | eval second=mean*4 | eval third=mean*6 
| eval fourth=mean*8 | eval second=round(second,0) | eval third=round(third,0) | eval fourth=round(fourth,0) 
| eval range=first+" "+second+" "+third+" "+fourth | return $range]
            </param>                          

            <module name="HTML">
              <param name="html"><![CDATA[
              <h3>Peak load:</h3>
              ]]></param>
            </module>

            <module name="HiddenFieldPicker">
              <param name="strictMode">True</param>
              <module name="JobProgressIndicator">
                <module name="EnablePreview">
                  <param name="display">False</param>
                  <param name="enable">True</param>
                  <module name="HiddenChartFormatter">
                    <param name="charting.chart">fillerGauge</param>
                    <module name="JSChart">
                      <param name="width">100%</param>
                      <param name="height">150px</param>
                      <module name="ConvertToDrilldownSearch">
                        <module name="ViewRedirector">
                          <param name="viewTarget">flashtimeline</param>
                        </module>
                      </module>
                    </module>
                    <module name="ViewRedirectorLink">
                      <param name="viewTarget">flashtimeline</param>
                    </module>
                  </module>
                </module>
              </module>
            </module>

          </module> <!-- Search -->

          <module name="Search">
            <param name="search">
              `iptables_index` `iptables_src` | bucket _time span=$Span$ | stats count by _time | stats sum(count) as count by _time | sort - count | head 1 | eval time=strftime(_time,"%d %B %Y %I:%M %p")
            </param>

            <module name="HTML" layoutPanel="panel_row2_col2">
              <param name="html"><![CDATA[
              <p></p>
              ]]></param>
            </module>
            <module name="SingleValue" layoutPanel="panel_row2_col2">
              <param name="field">count</param>
              <param name="beforeLabel">Number of denied connections:</param>
              <param name="format">string</param>
            </module>        
            <module name="SingleValue" layoutPanel="panel_row2_col2">
              <param name="field">time</param>
              <param name="beforeLabel">Date of peak:</param>
              <param name="format">string</param>
            </module>

          </module> <!-- Search -->

Thank you very much for any help 🙂

sideview
SplunkTrust
SplunkTrust

One key difference between the Sideview Search module and the Splunk HiddenSearch module, is that "$" characters are special, and they are interpreted as $foo$ tokens. This is of course how span=$Span$ works. Instead of having to go through Splunk's intention systems, with an extra round trip to the server, Sideview Utils just plugs in the $Span$ key right then and there.

Then further down that same search, you have $range. I actually don't know why that "$" character is there in the range fieldname. It actually looks like a typo. Either take that "$" character off of $range, or if you intended that to be a literal "$" character, replace it with two "$" consecutive characters. There are a few places in the docs these days that remind you of the special rule for literal "$" characters. I'll make another pass and see if there's any sensible place that doesnt say it.

Put simply if you want something to have a literal "$" in it, and it's something that does "$foo$" substitution, just put "$$" there instead.

0 Karma

guilmxm
SplunkTrust
SplunkTrust

Hi!

Many thanks for your answer, as always perfectly clear and useful 🙂

That made the trick using $$range.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...