How to display real-time data in a dashboard?

Hindoo · ‎04-13-2015

Hello,

I managed to display a dashboard for data in the last 24 hours or last week, but when I want to display real-time, it shows me "No results in current time range."
In short, I want to display a dashboard in real-time.
I need your help please !!!!!

gyslainlatsa · ‎04-13-2015

hi hindoo,
this is a code for one example of the dashboard real time

  <dashboard>
      <label>Realtime Search</label>
      <description>Table, Chart and Event panels powered by inline and report realtime searches.</description>
      <row>
        <table>
          <title>Inline Search Table</title>
          <search>
            <query>index=_internal | head 1000 | top limit=100 sourcetype | eval percent = round(percent,2)</query>
            <earliest>rt-30s</earliest>
            <latest>rt</latest>
          </search>
        </table>
        <chart>
          <title>Inline Search Chart</title>
          <search>
            <query>index=_internal | head 1000 | timechart count</query>
            <earliest>rt-30s</earliest>
            <latest>rt</latest>
          </search>
          <option name="charting.chart">area</option>
        </chart>
      </row>
  </dashboard>

use this time range rt-30s and rt in your dashboard and let me know.
for the last 24hrs, use this time range -24h@hand now

gyslainlatsa · ‎04-13-2015

hi hindoo,

you said one source with source = "192.168.1.203",
it is likely that there is no result for this uique source in real time. try to select all sources with source = * and check if there will not always results. and if it works, you could create a dropdown where the user can select a particular source.

if you want to get all the results you have to write |top limit = 0, to generalize, you might have a code like this:

<form>
  <label>---------------------------------------</label>
  <description>---------------------</description>
  <fieldset autoRun="true" submitButton="false">
    <input type="dropdown" token="source" searchWhenChanged="true">
      <label>Select a source:</label>
      <default>*</default>
      <choice value="*">All</choice>
      <populatingSearch fieldForValue="source" fieldForLabel="source" >
        <![CDATA[sourcetype=syslog | stats count by source]]>
      </populatingSearch>
    </input>
  </fieldset>
  <row>

      <table>          
       <title>Inline Search Table</title> 
       <search>           
         <query> sourcetype= syslog source= $source$ | top limit=10</query>     
         <earliest>rt-30s</earliest>
         <latest>rt</latest>           
       </search>        
     </table> 

  </row>
</form>

please forgive my english.

Hindoo · ‎04-13-2015

thanks,
i try with your example:

Realtime Search

Table by inline and report realtime searches.

<table>          
  <title>Inline Search Table</title> 
  <search>           
    <query> sourcetype= syslog source="192.168.1.203" | top limit=10</query>     
    <earliest>rt-30s</earliest>
    <latest>rt</latest>           
  </search>        
</table>

but , no result ...

How to display real-time data in a dashboard?

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Are you a member of the Splunk Community?

How to display real-time data in a dashboard?

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...