Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Dashboard SearchTemplate

jrich523
Path Finder
‎11-20-2013 12:16 PM

Im doing a fairly simple search template that just isnt working. It seems to be limited at 1000 events? (cant find any docs that would suggest this) and only 1 of the 3 charts even attempts to use the template at all.

It looks like the first timechart count works ok (only populates 1000) and the following timecharts (that have a "by") are getting all nulls.

so two questions, is there a limit and if so do i have any control over it?
why are charts 2 and 3 getting all empty entries?

 <form>
  <label>General Usage Stats</label>
  <description/>
  <searchTemplate>sourcetype="f5:irule:webaccess" | rex field=url "(?&lt;base&gt;[^?]+)\?(?&lt;querystring&gt;.*)"  | eval kb=(response_data_size/1024)</searchTemplate>
  <fieldset autoRun="true" submitButton="false">
    <input type="time" searchWhenChanged="true">
      <default>
        <earliestTime>-15m</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>
  </fieldset>
  <row>
    <chart>
      <title>Total Hits</title>
      <searchPostProcess>timechart count</searchPostProcess>
      <option name="charting.chart">line</option>
    </chart>
    <chart>
      <title>Hits by URL</title>
      <searchPostProcess>timechart count by base limit=5 useother=f usenull=f</searchPostProcess>
      <option name="charting.chart">line</option>
      <option name="count">10</option>
    </chart>
    <chart>
      <title>Hits by Server</title>
      <searchPostProcess>timechart count by server_name limit=5 useother=f usenull=f</searchPostProcess>
      <option name="charting.chart">line</option>
    </chart>
  </row>
</form>
0 Karma
Reply

MuS
Legend
‎12-16-2014 02:15 AM

Hi jrich523,

you should use a transforming command within your searchTemplate for best results and to omit the limit you suspect to hit. Read the docs http://docs.splunk.com/Documentation/Splunk/6.2.0/AdvancedDev/PostProcess to get more details on this.

cheers, MuS

0 Karma
Reply

ngatchasandra
Builder
‎12-16-2014 02:04 AM

To answer your question, I have taken your source code and test it with my own request based on my data. When I have done this, all charts don’t show the results. Then, I have taken each of my request and test them in search bar splunk and all is worked good. For example, this is my SearchTemplate:
index=project1_index | rex "\d+-\d+-\d+ \d+:\d+:\d+ (?<Host>[a-zA-Z0-9.-]+)"|rex max_match=0 "(?i) STRING: \"\"(?P<FIELDNAME>[^\"]+)" | eval Source=mvindex(FIELDNAME,0) | eval kb=(data_second/1024)

Note: My entire fields is extracted from _raw

The request is work good! So is your default value of your time input that have a problem because, when I remove that follow

<default>
<earliestTime>-15m</earliestTime>
   <latestTime>now</latestTime>
   </default>

In my case, it means that no events is reach -15m or now.
I think that is no problem of limit. My code is look like follow:

<form>
   <label>General Usage Stats</label>
   <description/>
   <searchTemplate>index=project1_index |  rex "\d+\-\d+\-\d+ \d+\:\d+:\d+ (?&lt;Host&gt;[a-zA-Z0-9.-]+)"|rex max_match=0 "(?i) STRING: \"\"(?P&lt;FIELDNAME&gt;[^\"]+)"| eval Source=mvindex(FIELDNAME,0) | eval kb=(data_second/1024)</searchTemplate>
   <fieldset autoRun="true" submitButton="false">
     <input type="time" searchWhenChanged="true">


     </input>
   </fieldset>
   <row>
     <chart>
       <title>Total Hits</title>
       <searchPostProcess>timechart count</searchPostProcess>
       <option name="charting.chart">line</option>
     </chart>
     <chart>
       <title>Hits by URL</title>
       <searchPostProcess>timechart count by Host limit=5 useother=f usenull=f</searchPostProcess>
       <option name="charting.chart">line</option>
       <option name="count">10</option>
     </chart>
     <chart>
       <title>Hits by Server</title>
       <searchPostProcess>timechart count by Source limit=5 useother=f usenull=f</searchPostProcess>
       <option name="charting.chart">line</option>
     </chart>
   </row>
 </form>
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...