All Apps and Add-ons

Sideviews Search with a subsearch to define the gauge range

SplunkTrust
SplunkTrust

Hi,

I am managing 2 Splunk applications. (Splunk for Netfilter Iptables,Splunk for Fail2ban)

I would like to convert a search into a sideview search (V2.x version):

          <module name="HiddenSearch" layoutPanel="panel_row2_col2">
            <param name="search">
`iptables_index` `iptables_src` | bucket _time span=5m | stats count by _time | stats sum(count) as count by _time
| sort - count | head 1 | fields - _time | gauge count [search `iptables_index` `iptables_src` earliest=-24h@h latest=-1h@h | bucket _time span=5m 
| stats count by _time | stats mean(count) as mean | eval first=0 | eval second=mean*4 | eval third=mean*6 
| eval fourth=mean*8 | eval second=round(second,0) | eval third=round(third,0) | eval fourth=round(fourth,0) 
| eval range=first+" "+second+" "+third+" "+fourth | return $range]
            </param>

I need to use a side view Search to be able to use my $Span$ instead of a static value (defines by a macro and downstreamed with ResultsValueSetter)

Therefore, each time i try to do so, this doesn't work, with a "[" missing message (if i let $range with only one $) or Error in 'return' command: command="return", Usage: [count] attr, $attrval, alias=attr, ...

I am trying to use:

          <module name="Search" layoutPanel="panel_row2_col2">
            <param name="search">
`iptables_index` `iptables_src` | bucket _time span=$Span$ | stats count by _time | stats sum(count) as count by _time
| sort - count | head 1 | fields - _time | gauge count [search `iptables_index` `iptables_src` earliest=-24h@h latest=-1h@h | bucket _time span=$Span$ 
| stats count by _time | stats mean(count) as mean | eval first=0 | eval second=mean*4 | eval third=mean*6 
| eval fourth=mean*8 | eval second=round(second,0) | eval third=round(third,0) | eval fourth=round(fourth,0) 
| eval range=first+" "+second+" "+third+" "+fourth | return $range]
            </param>

Or:

          <module name="Search" layoutPanel="panel_row2_col2">
            <param name="search">
`iptables_index` `iptables_src` | bucket _time span=$Span$ | stats count by _time | stats sum(count) as count by _time
| sort - count | head 1 | fields - _time | gauge count [search `iptables_index` `iptables_src` earliest=-24h@h latest=-1h@h | bucket _time span=$Span$ 
| stats count by _time | stats mean(count) as mean | eval first=0 | eval second=mean*4 | eval third=mean*6 
| eval fourth=mean*8 | eval second=round(second,0) | eval third=round(third,0) | eval fourth=round(fourth,0) 
| eval range=first+" "+second+" "+third+" "+fourth | return $range$]
            </param>

Indeed the problem only occurs when i try to define the gauge range using a subsearch, could i guess be related to:
http://splunk-base.splunk.com/answers/79518/problem-with-subsearch-returning-value-and-sideview-util...

The goal of my search is to define the peak load with the same bin value being used by the previous charting search and dynamicaly define the gauge range value. (o problem with my search using Side view if i set statically the gauge range)

Here is all the current code (with the search in question not using sideview search):

          <module name="Search" layoutPanel="panel_row2_col1">
            <param name="search">
              `iptables_index` `iptables_src` | timechart span=$Span$ count as Denied_Connections by iptables_host
            </param>

            <module name="HTML">
              <param name="html"><![CDATA[
              <h3>Alert Trend: Denied connections by Iptables reporting host (per $Showspan$ time window)</h3>
              ]]></param>

            </module>

            <module name="HiddenFieldPicker">
              <param name="strictMode">True</param>
              <module name="JobProgressIndicator">
                <module name="EnablePreview">
                  <param name="display">False</param>
                  <param name="enable">True</param>
                  <module name="HiddenChartFormatter">
                    <param name="charting.chart.stackMode">stacked</param>
                    <param name="charting.legend.placement">bottom</param>
                    <param name="charting.chart">area</param>
                    <param name="charting.axisTitleX.text">Time</param>
                    <param name="charting.axisTitleY.text">Denied connections</param>
                    <module name="JSChart">
                      <param name="width">100%</param>
                      <param name="height">250px</param>
                      <module name="ConvertToDrilldownSearch">
                        <module name="ViewRedirector">
                          <param name="viewTarget">flashtimeline</param>
                        </module>
                      </module>
                    </module>
                    <module name="ViewRedirectorLink">
                      <param name="viewTarget">flashtimeline</param>
                    </module>
                  </module>
                </module>
              </module>
            </module>    

          </module> <!-- Search -->


          <module name="HiddenSearch" layoutPanel="panel_row2_col2">
            <param name="search">
`iptables_index` `iptables_src` | bucket _time span=5m | stats count by _time | stats sum(count) as count by _time
| sort - count | head 1 | fields - _time | gauge count [search `iptables_index` `iptables_src` earliest=-24h@h latest=-1h@h | bucket _time span=5m 
| stats count by _time | stats mean(count) as mean | eval first=0 | eval second=mean*4 | eval third=mean*6 
| eval fourth=mean*8 | eval second=round(second,0) | eval third=round(third,0) | eval fourth=round(fourth,0) 
| eval range=first+" "+second+" "+third+" "+fourth | return $range]
            </param>                          

            <module name="HTML">
              <param name="html"><![CDATA[
              <h3>Peak load:</h3>
              ]]></param>
            </module>

            <module name="HiddenFieldPicker">
              <param name="strictMode">True</param>
              <module name="JobProgressIndicator">
                <module name="EnablePreview">
                  <param name="display">False</param>
                  <param name="enable">True</param>
                  <module name="HiddenChartFormatter">
                    <param name="charting.chart">fillerGauge</param>
                    <module name="JSChart">
                      <param name="width">100%</param>
                      <param name="height">150px</param>
                      <module name="ConvertToDrilldownSearch">
                        <module name="ViewRedirector">
                          <param name="viewTarget">flashtimeline</param>
                        </module>
                      </module>
                    </module>
                    <module name="ViewRedirectorLink">
                      <param name="viewTarget">flashtimeline</param>
                    </module>
                  </module>
                </module>
              </module>
            </module>

          </module> <!-- Search -->

          <module name="Search">
            <param name="search">
              `iptables_index` `iptables_src` | bucket _time span=$Span$ | stats count by _time | stats sum(count) as count by _time | sort - count | head 1 | eval time=strftime(_time,"%d %B %Y %I:%M %p")
            </param>

            <module name="HTML" layoutPanel="panel_row2_col2">
              <param name="html"><![CDATA[
              <p></p>
              ]]></param>
            </module>
            <module name="SingleValue" layoutPanel="panel_row2_col2">
              <param name="field">count</param>
              <param name="beforeLabel">Number of denied connections:</param>
              <param name="format">string</param>
            </module>        
            <module name="SingleValue" layoutPanel="panel_row2_col2">
              <param name="field">time</param>
              <param name="beforeLabel">Date of peak:</param>
              <param name="format">string</param>
            </module>

          </module> <!-- Search -->

Thank you very much for any help 🙂

SplunkTrust
SplunkTrust

One key difference between the Sideview Search module and the Splunk HiddenSearch module, is that "$" characters are special, and they are interpreted as $foo$ tokens. This is of course how span=$Span$ works. Instead of having to go through Splunk's intention systems, with an extra round trip to the server, Sideview Utils just plugs in the $Span$ key right then and there.

Then further down that same search, you have $range. I actually don't know why that "$" character is there in the range fieldname. It actually looks like a typo. Either take that "$" character off of $range, or if you intended that to be a literal "$" character, replace it with two "$" consecutive characters. There are a few places in the docs these days that remind you of the special rule for literal "$" characters. I'll make another pass and see if there's any sensible place that doesnt say it.

Put simply if you want something to have a literal "$" in it, and it's something that does "$foo$" substitution, just put "$$" there instead.

0 Karma

SplunkTrust
SplunkTrust

Hi!

Many thanks for your answer, as always perfectly clear and useful 🙂

That made the trick using $$range.

0 Karma