Dashboards & Visualizations

How to make verbose mode as default mode for the dashboard?

Explorer

Hi,

I have a dashboard created in our environment and the default mode for the dashboard is Fast mode. However the default mode when I use general search is verbose mode. Since the dashboard is taking fast mode for search, real-time events are not generated. Is there any way to change the search mode of the dashboard to verbose in the query itself? However, I tried to change the mode to verbose under savedsearches.conf file, but still it has no effect on the dashboard.

Please guide.

Regards,
Sushma.

0 Karma

Engager

A little dated but could you force the SearchMode module to show using the XML in the dashboard?

http://docs.splunk.com/Documentation/Splunk/6.0.3/AdvancedDev/ModuleReference

Search 'SearchMode'

0 Karma

The primary differences between fast mode and verbose mode are the parsing of search-time fields and the presentation of raw events even if your search uses a transforming command to convert the results into a stats table. Is the search-time field extraction what you're talking about? If so, there are ways to get around the optimizations that are performed in dashboard queries, based on use case. If you describe your overall dashboard, desired data presentation, and the specific issues, we can help you address the problems.

0 Karma

Explorer

Hi,

My dashboard query is as below:

source="jnpr-syslog" policy_name=Internet_Lab_Policy_Gateway_Logging source
| bin _time span=1d
| stats count as New_Connections by source_address _time
| eventstats sum(New_Connections) as Total by _time
| eval "%New_Connections"=round((New_Connections/Total)*100,2)
| fields - Total
| sort - _time New_Connections | streamstats count as sno by _time
| search sno<=20
| fields - sno
| eval _time=strftime(_time,"%Y/%m/%d")
| rename _time as Time
| stats last(New_Connections) as New_Connections last("%New_Connections") as "%New_Connections" by source_address
| sort - New_Connections

It displays the number of new connections opened up by top 20 source address. For this query when I select the time range as 30 minutes windows under Real-time and since the default mode being fast mode for the dashboard, no graph is displayed. Instead when I change the mode to verbose, I can see graphs generating for it. What I am asking is how to make the verbose mode as default one in the dashboard, else how to display the graph even being in the fast mode.

Does this makes sense?

Let me know if you need any more information.

Regards,
Sushma.

0 Karma

SplunkTrust
SplunkTrust

I'm not following when you say "real-time events are not generated in fast-mode". Perhaps you can explain more?

0 Karma

SplunkTrust
SplunkTrust

To add on to this.. I'm thinking your referring to field extractions and not events.. There is a trick if your using post processing in a dashboard, since it runs in fast mode. You need to explicitly add your fields so they are available in fast mode

| fields + <Field names to be included>

Explorer

Hi,

My dashboard query is as below:

source="jnpr-syslog" policy_name=Internet_Lab_Policy_Gateway_Logging source
| bin _time span=1d
| stats count as New_Connections by source_address _time
| eventstats sum(New_Connections) as Total by _time
| eval "%New_Connections"=round((New_Connections/Total)*100,2)
| fields - Total
| sort - _time New_Connections | streamstats count as sno by _time
| search sno<=20
| fields - sno
| eval _time=strftime(_time,"%Y/%m/%d")
| rename _time as Time
| stats last(New_Connections) as New_Connections last("%New_Connections") as "%New_Connections" by source_address
| sort - New_Connections

It displays the number of new connections opened up by top 20 source address. For this query when I select the time range as 30 minutes windows under Real-time and since the default mode being fast mode for the dashboard, no graph is displayed. Instead when I change the mode to verbose, I can see graphs generating for it. What I am asking is how to make the verbose mode as default one in the dashboard, else how to display the graph even being in the fast mode.

Does this makes sense?

Let me know if you need any more information.

Regards,
Sushma.

0 Karma

SplunkTrust
SplunkTrust

Once again.. The solution is not to run it in verbose mode but rather explicitly define the fields you want which will be ran in fast mode.

Try this.. I also strongly recommend you add an index and sourcetype to your search for faster search times

source="jnpr-syslog" policy_name=Internet_Lab_Policy_Gateway_Logging source 
| bin _time span=1d
| fields + New_Connections source_address _time
| stats count as New_Connections by source_address _time
| eventstats sum(New_Connections) as Total by _time
| eval "%New_Connections"=round((New_Connections/Total)*100,2)
| fields - Total
| sort - _time New_Connections | streamstats count as sno by _time
| search sno<=20
| fields - sno
| eval _time=strftime(_time,"%Y/%m/%d")
| rename _time as Time
| stats last(New_Connections) as New_Connections last("%New_Connections") as "%New_Connections" by source_address
| sort - New_Connections
0 Karma

SplunkTrust
SplunkTrust

@muralisushma7 did this work for you?

0 Karma

Explorer

Hi,

As said, I ran the above query , but still the result is same, when it is in fast mode, I see the output as "No results in current time range", but again when I change the mode to verbose, I can see the 4 rows with values as output. Either I want the same output when in fast mode or else I always want the dashboard to run in verbose mode.

Regards,
Sushma.

0 Karma

Explorer

Any idea?

Regards,
Sushma.

0 Karma

SplunkTrust
SplunkTrust

You're going to have to explicitly call the fields, perhaps line 3 is not the best place for it. You will need to move it down before the stats command

0 Karma

Explorer

source="jnpr-syslog" policy_name=Internet_Lab_Policy_Gateway_Logging source
| bin _time span=1d
| stats count as New_Connections by source_address _time
| eventstats sum(New_Connections) as Total by _time
| eval "%New_Connections"=round((New_Connections/Total)*100,2)
| fields - Total
| sort - _time New_Connections | streamstats count as sno by _time
| search sno<=20
| fields - sno
| eval _time=strftime(_time,"%Y/%m/%d")
| rename _time as Time
| fields + New_Connections source_address _time
| stats last(New_Connections) as New_Connections last("%New_Connections") as "%New_Connections" by source_address
| sort - New_Connections

Is this what you are saying?

0 Karma

Explorer

I moved the fields line to the last 2nd line(above the stats line),and re-ran the query, still i don't get the output when ran in fast mode.

Regards,
Sushma.

0 Karma

SplunkTrust
SplunkTrust

You will need to test this yourself.. You're losing the fields somewhere

You need to strip off each line starting from the bottom and identify when your fields are there and when they disappear.

0 Karma

Explorer

Wherever I place that line in my query, i still don't see output in fast mode.

Regards,
Sushma.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!