Splunk Search

how often do charts update? f5 ltm irule

mbassettjr
Explorer

I have the splunk irule working and I'm seeing information in the dashboards.

However, the Top User Agents charts and Top Client IP charts are not getting updated, the top user agent has 30 hits, and the top client ip has 10 hits. But, when I run the search query i see the proper counts.

0 Karma

mbassettjr
Explorer

The issue i have noticed is that the user agent charts for the F5 LTM irule logging do not seem to be correct.

I have found the search it is running:

stats sum(count) as count by user_agent| head 10 | sort – count

The issue I have with this is it is showing Blackberry user agents with the highest count. On further investigation, it appears that IE and Firefox and the major browsers do not use identical User agent strings, and this query is not able to 'wrap them up' to IE6 or Firefox 7 or whatever browser it is, since they are unique and differing.

Example:

            Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; MS-RTC LM 😎    

32 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

33 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

34 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

35 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

36 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1; MS-RTC LM 😎

37 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

38 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

39 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; InfoPath.2)

40 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.0.04506.30)

It is interesting to note however, that if i look at the top user agent chart from the normal search pane, the results are different still. Using this query:
top limit=100 user_agent

provides a different result set than the previous query.

What is going on here?

0 Karma

rroberts
Splunk Employee
Splunk Employee

Well, it depends.

  1. If you are using real time searches the dashboard should update on its own every 2 or 3 second.
  2. If you are calling a scheduled saved search on the dashboard you will see cached results until the search runs again.
  3. If you are embedding the search directly on the panel the search will run when the dashboard loads. With simple XML you can set refresh rate. See: http://docs.splunk.com/Documentation/Splunk/4.2.4/Developer/Step1CreateADashboard
    Optionally set the refresh rate for the entire dashboard by adding a
    refresh="<seconds>" attribute: <dashboard refresh="30">
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...