We can initialize tokens in an init section within a form - and we can make a form refresh every 60 sec by specifying refresh="60" in the form tag -- but it appears that the init section is not re-executed when the form refreshes?
The tokens I set in the init section are time tokens that I use throughout the dashboard to control the scope of searches - I calculate them from now() using relative_time(), etc., and display them in the form to check their values, which don't change.
The underlying need: to juxtapose the results of two searches: (1) on today's log events, to get (say) event count for a given index and sourcetype per 5 minute interval, and (2) on a summary index, to get the minimum and maximum such event counts over the past 30 days, again for each 5 minute interval, and line them up by time interval (hh:mm, e.g. "13:05") so that I can compare (within each 5 minute interval) today's count vs. the historical minimum and maximum count and alert if today's count falls outside the historical range. This works great when I simply run it for the day and produce a chart - lines for historical minimum and maximum and today's counts, nicely aligned by time interval. For a status indicator or alert though, I want to process a single 5 minute interval, every 5 minutes - and I've been able to do that by setting tokens to (1) the appropriate earliest and latest value for today's events, and (2) the corresponding "hh:mm" value to get the time slice of the summary index. Unfortunately, the tokens I set don't update, even though they're in the init section of a form with refresh=60 - and so far, I haven't been able to get the main search (which is actually the summary index search) to pull the same 5 minute interval (for each of the past 30 days) as the search of today's log events.
Any suggestions much appreciated!
I'd recommend using the panel based refresh controls rather than a full dashboard refresh. That will allow more specific controls per search that still honor the parameters set on the dashboard.
If your version of Splunk does not have this option, it might be time for an upgrade so communicate that interest to your admins. "I want my MTV!"
I appreciate the point - is it still better to do it that way when every viz on the page (10 status indicators + 10 charts) needs to be refreshed every 5 minutes?
Note also that the question is really about updating some time tokens on every refresh iteration. Is there any way to do that?
If the init tag/section is purely for one-time initialization when the form is first loaded (which is great for setting tokens for colors and other visualization options), it would be nice to have an explicit refresh tag/section too - for both forms and individual visualizations - which would execute for every refresh, setting time tokens to be used in one or more searches and/or text elements.
I imagine it is better to do it by panel because you get more granular control should you ever decide NOT to have them update together.
Did the panel approach work at preserving the token values as you desired? If not, please post sanitized versions of the simple XML so we can be more specific. I'm worried I might be misunderstanding what you mean by "init tag/section" and therefore providing bad details.