Archive

how to display pattern tab result in report in dashboard?

Explorer

how to display pattern tab result in report in dashboard?
i click save as report and find no option about showing pattern tab result

is there any command equivalent to show the same result as pattern tab

Tags (1)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

There is no direct way to display the patterns tab the way it is formatted in the Search and Reporting app in a dashboard.
But... the Patterns tab is produced by running a cluster command under the covers. You can check the audit index after selecting the patterns tab and you will see something like this (I used a search on the _internal index when selecting patterns):
`index=
internal | cluster t=0.3 labelonly=true labelfield=patterns match=termset | findkeywords labelfield=patterns dedup=true`
You can start here and format the output to satisfy your display needs.

View solution in original post

Communicator

Just adding one note because I have seen this discussion as I was looking for the same answer.

Going in Settings >> Monitoring Console >> Search >> Activity >> Search Usage Statistics: Instance and then selecting the option "Only Ad Hoc Searches" = NO, you can find the search triggered by Splunk when you click on "Pattern" tab:

| loadjob 1233886270.2 events=true require_finished=false | cluster t=0.8 labelonly=true labelfield=_patterns match=termset | findkeywords labelfield=_patterns dedup=true

this is exactly what is done in the background (where 1233886270.2 is the search job id)

Then if you want to recreate the same result, approximately you have to attach this to your search

| cluster t=0.8 labelonly=t showcount=t labelfield=_patterns match=termset
| findkeywords labelfield=_patterns dedup=true
| search confidence>0
| fields - search
| sort -percentMatched

Just wondering/checking how exactly it is sorting the results, and how is calculating the number of events matched

0 Karma

Splunk Employee
Splunk Employee

There is no direct way to display the patterns tab the way it is formatted in the Search and Reporting app in a dashboard.
But... the Patterns tab is produced by running a cluster command under the covers. You can check the audit index after selecting the patterns tab and you will see something like this (I used a search on the _internal index when selecting patterns):
`index=
internal | cluster t=0.3 labelonly=true labelfield=patterns match=termset | findkeywords labelfield=patterns dedup=true`
You can start here and format the output to satisfy your display needs.

View solution in original post

Explorer

is there any updated in your answer?

after tried to append index=audit or index=internal , still can not create the same result as pattern tab

0 Karma

Splunk Employee
Splunk Employee

I was using the internal index as an example to show you what is being executed under the covers by the patterns tab. You would obviously have to use the index that contains your data for which you want to identify the patterns. Which index contains the data for your sourcetype=access*? That's the one you need to search. If it's searched by default, just remove index=_internal

Your results from 2 days ago were different, because you looked at the patterns tab for a search over your data, but added index=_internal to the search that used the cluster command. The timeframes were slightly different as well.

0 Karma

Explorer
0 Karma

Explorer

find found no _audit index in pattern tab or search events tab, where is it?

0 Karma

Explorer

i append index=internal or index=audit

https://drive.google.com/file/d/0Bxs_ao6uuBDUd2xMcXdyY3JkR1E/view?usp=sharing
https://drive.google.com/file/d/0Bxs_ao6uuBDUOWdnYXl3LXhpSzA/view?usp=sharing

but no result

autojoin='1' buckets=300 ttl=600 maxcount=500000 maxtime=8640000 enablelookups='1'

0 Karma