Dashboards & Visualizations

Is there a way to Auto Refresh a global search individually with Post-Process searches in Splunk 6.2 without refreshing the entire dashboard?

ashleyherbert
Communicator

Hi All,
Using the new 6.2 search module, I'm trying to create a dashboard with a global search and multiple single values presented from it using post-process searches. I need the single values to refresh every 60 seconds, however since they're driven off the global search, the refresh.auto.interval option does not re-run the global search. Is there a way to refresh the global search individually?
I know I can refresh the whole dashboard, but I plan to have a few extra searches on this dashboard which will need to be refreshed separately. I could also make it a scheduled saved search, but that means it's running all the time when nobody is looking at it.

Here's my XML:

<dashboard>
    <label>Sovereign Performance</label>
    <search id="rmiperfSearch">
        <query>index=sovereign sourcetype=rmiperf  action=lookup_startup | stats latest(action_time) as action_time by host | rangemap field=action_time low=0-10000 elevated=10001-30000 severe=30001-100000 default=severe</query>
        <earliest>-3m</earliest>
        <latest>now</latest>
    </search>
    <row>
        <panel>
            <title>RMI lookup_startup latest response time in Kogarah</title>
            <single>
                <title>K1 - VIRNTAPP035</title>
                <search base="rmiperfSearch">
                    <query>search host=virntapp035</query>
                </search>
                <option name="underLabel">K1</option>
                <option name="linkView">search</option>
                <option name="drilldown">none</option>
                <option name="afterLabel">ms</option>
                <option name="refresh.auto.interval">60</option>
                <option name="field">action_time</option>
                <option name="classField">range</option>
            </single>
            <single>
                <title>K2 - VIRNTAPP036</title>
                <search base="rmiperfSearch">
                    <query>search host=virntapp036</query>
                </search>
                <option name="underLabel">K2</option>
                <option name="linkView">search</option>
                <option name="drilldown">none</option>
                <option name="afterLabel">ms</option>
                <option name="refresh.auto.interval">60</option>
                <option name="field">action_time</option>
                <option name="classField">range</option>
            </single>
        </panel>
        <panel>
            <title>RMI lookup_startup latest response time in WSDC</title>
            <single>
                <title>G1 - VIRNTAPP042</title>
                <search base="rmiperfSearch">
                    <query>search host=virntapp042</query>
                </search>
                <option name="underLabel">G1</option>
                <option name="linkView">search</option>
                <option name="drilldown">none</option>
                <option name="afterLabel">ms</option>
                <option name="refresh.auto.interval">60</option>
                <option name="field">action_time</option>
                <option name="classField">range</option>
            </single>
            <single>
                <title>G2 - VIRNTAPP043</title>
                <search base="rmiperfSearch">
                    <query>search host=virntapp043</query>
                </search>
                <option name="underLabel">G2</option>
                <option name="linkView">search</option>
                <option name="drilldown">none</option>
                <option name="afterLabel">ms</option>
                <option name="refresh.auto.interval">60</option>
                <option name="field">action_time</option>
                <option name="classField">range</option>
            </single>
        </panel>
    </row>
    <row>
        <panel>
            <title>Response times by server for the past 4 hours</title>
            <chart>
                <search>
                    <query>index=sovereign sourcetype=rmiperf action=lookup_startup | timechart span=1m avg(action_time) by host</query>
                    <earliest>-4h@m</earliest>
                    <latest>now</latest>
                </search>
                <option name="charting.chart">line</option>
                <option name="charting.axisY2.enabled">undefined</option>
                <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
                <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
                <option name="charting.axisTitleX.visibility">collapsed</option>
                <option name="charting.axisTitleY.visibility">visible</option>
                <option name="charting.axisTitleY2.visibility">visible</option>
                <option name="charting.axisX.scale">linear</option>
                <option name="charting.axisY.scale">linear</option>
                <option name="charting.axisY2.scale">inherit</option>
                <option name="charting.chart.bubbleMaximumSize">50</option>
                <option name="charting.chart.bubbleMinimumSize">10</option>
                <option name="charting.chart.bubbleSizeBy">area</option>
                <option name="charting.chart.nullValueMode">gaps</option>
                <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
                <option name="charting.chart.stackMode">default</option>
                <option name="charting.chart.style">shiny</option>
                <option name="charting.drilldown">all</option>
                <option name="charting.layout.splitSeries">0</option>
                <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
                <option name="charting.legend.placement">right</option>
                <option name="refresh.auto.interval">60</option>
                <option name="height">400px</option>
            </chart>
        </panel>
    </row>
</dashboard>
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

I didn't test this, but do try putting the base search into a panel somewhere and set that to refresh. You can keep the id set and refer to it from your single values.

If that works you can look into hiding this panel, or at least obfuscating the fact that one single is different from the other singles. For example, if you sort by host the single with the base search will show the first result and the other three could apply their post processing afterwards. Just make sure you always have a row for each host.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

I didn't test this, but do try putting the base search into a panel somewhere and set that to refresh. You can keep the id set and refer to it from your single values.

If that works you can look into hiding this panel, or at least obfuscating the fact that one single is different from the other singles. For example, if you sort by host the single with the base search will show the first result and the other three could apply their post processing afterwards. Just make sure you always have a row for each host.

martin_mueller
SplunkTrust
SplunkTrust

depends=$nothing$ is a great idea as well. Is the panel entirely invisible, with no hints to it such as weird layout gaps?

Can you remove the refresh intervals from the postprocessing single values now?

0 Karma

ashleyherbert
Communicator

Yeah the panel is entirely visible, and there's no gaps or weird layout. I am actually surprised the search still runs & refreshes with the depends=$nothing$ tag, but it definitely does. And yes, I just tried removing the refresh.auto.interval tags from all the other single values and they still all refresh.

0 Karma

ashleyherbert
Communicator

Great idea, and it works!

I added the following extra single value in the same panel. Even though the module is hidden (due to the depends token missing), it still refreshes the search.

<single depends="$nothing$">
    <search id="rmiperfSearch">
        <query>index=sovereign sourcetype=rmiperf action=lookup_startup | stats latest(action_time) as action_time by host | rangemap field=action_time low=0-10000 elevated=10001-30000 severe=30001-100000 default=severe</query>
        <earliest>-3m</earliest>
        <latest>now</latest>
    </search>
    <option name="linkView">search</option>
    <option name="drilldown">none</option>
    <option name="refresh.auto.interval">60</option>
    <option name="field">action_time</option>
</single>
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...