Dashboards & Visualizations

Is there a way to Auto Refresh a global search individually with Post-Process searches in Splunk 6.2 without refreshing the entire dashboard?

Communicator

Hi All,
Using the new 6.2 search module, I'm trying to create a dashboard with a global search and multiple single values presented from it using post-process searches. I need the single values to refresh every 60 seconds, however since they're driven off the global search, the refresh.auto.interval option does not re-run the global search. Is there a way to refresh the global search individually?
I know I can refresh the whole dashboard, but I plan to have a few extra searches on this dashboard which will need to be refreshed separately. I could also make it a scheduled saved search, but that means it's running all the time when nobody is looking at it.

Here's my XML:

<dashboard>
    <label>Sovereign Performance</label>
    <search id="rmiperfSearch">
        <query>index=sovereign sourcetype=rmiperf  action=lookup_startup | stats latest(action_time) as action_time by host | rangemap field=action_time low=0-10000 elevated=10001-30000 severe=30001-100000 default=severe</query>
        <earliest>-3m</earliest>
        <latest>now</latest>
    </search>
    <row>
        <panel>
            <title>RMI lookup_startup latest response time in Kogarah</title>
            <single>
                <title>K1 - VIRNTAPP035</title>
                <search base="rmiperfSearch">
                    <query>search host=virntapp035</query>
                </search>
                <option name="underLabel">K1</option>
                <option name="linkView">search</option>
                <option name="drilldown">none</option>
                <option name="afterLabel">ms</option>
                <option name="refresh.auto.interval">60</option>
                <option name="field">action_time</option>
                <option name="classField">range</option>
            </single>
            <single>
                <title>K2 - VIRNTAPP036</title>
                <search base="rmiperfSearch">
                    <query>search host=virntapp036</query>
                </search>
                <option name="underLabel">K2</option>
                <option name="linkView">search</option>
                <option name="drilldown">none</option>
                <option name="afterLabel">ms</option>
                <option name="refresh.auto.interval">60</option>
                <option name="field">action_time</option>
                <option name="classField">range</option>
            </single>
        </panel>
        <panel>
            <title>RMI lookup_startup latest response time in WSDC</title>
            <single>
                <title>G1 - VIRNTAPP042</title>
                <search base="rmiperfSearch">
                    <query>search host=virntapp042</query>
                </search>
                <option name="underLabel">G1</option>
                <option name="linkView">search</option>
                <option name="drilldown">none</option>
                <option name="afterLabel">ms</option>
                <option name="refresh.auto.interval">60</option>
                <option name="field">action_time</option>
                <option name="classField">range</option>
            </single>
            <single>
                <title>G2 - VIRNTAPP043</title>
                <search base="rmiperfSearch">
                    <query>search host=virntapp043</query>
                </search>
                <option name="underLabel">G2</option>
                <option name="linkView">search</option>
                <option name="drilldown">none</option>
                <option name="afterLabel">ms</option>
                <option name="refresh.auto.interval">60</option>
                <option name="field">action_time</option>
                <option name="classField">range</option>
            </single>
        </panel>
    </row>
    <row>
        <panel>
            <title>Response times by server for the past 4 hours</title>
            <chart>
                <search>
                    <query>index=sovereign sourcetype=rmiperf action=lookup_startup | timechart span=1m avg(action_time) by host</query>
                    <earliest>-4h@m</earliest>
                    <latest>now</latest>
                </search>
                <option name="charting.chart">line</option>
                <option name="charting.axisY2.enabled">undefined</option>
                <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
                <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
                <option name="charting.axisTitleX.visibility">collapsed</option>
                <option name="charting.axisTitleY.visibility">visible</option>
                <option name="charting.axisTitleY2.visibility">visible</option>
                <option name="charting.axisX.scale">linear</option>
                <option name="charting.axisY.scale">linear</option>
                <option name="charting.axisY2.scale">inherit</option>
                <option name="charting.chart.bubbleMaximumSize">50</option>
                <option name="charting.chart.bubbleMinimumSize">10</option>
                <option name="charting.chart.bubbleSizeBy">area</option>
                <option name="charting.chart.nullValueMode">gaps</option>
                <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
                <option name="charting.chart.stackMode">default</option>
                <option name="charting.chart.style">shiny</option>
                <option name="charting.drilldown">all</option>
                <option name="charting.layout.splitSeries">0</option>
                <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
                <option name="charting.legend.placement">right</option>
                <option name="refresh.auto.interval">60</option>
                <option name="height">400px</option>
            </chart>
        </panel>
    </row>
</dashboard>
1 Solution

SplunkTrust
SplunkTrust

I didn't test this, but do try putting the base search into a panel somewhere and set that to refresh. You can keep the id set and refer to it from your single values.

If that works you can look into hiding this panel, or at least obfuscating the fact that one single is different from the other singles. For example, if you sort by host the single with the base search will show the first result and the other three could apply their post processing afterwards. Just make sure you always have a row for each host.

View solution in original post

SplunkTrust
SplunkTrust

I didn't test this, but do try putting the base search into a panel somewhere and set that to refresh. You can keep the id set and refer to it from your single values.

If that works you can look into hiding this panel, or at least obfuscating the fact that one single is different from the other singles. For example, if you sort by host the single with the base search will show the first result and the other three could apply their post processing afterwards. Just make sure you always have a row for each host.

View solution in original post

SplunkTrust
SplunkTrust

depends=$nothing$ is a great idea as well. Is the panel entirely invisible, with no hints to it such as weird layout gaps?

Can you remove the refresh intervals from the postprocessing single values now?

0 Karma

Communicator

Yeah the panel is entirely visible, and there's no gaps or weird layout. I am actually surprised the search still runs & refreshes with the depends=$nothing$ tag, but it definitely does. And yes, I just tried removing the refresh.auto.interval tags from all the other single values and they still all refresh.

0 Karma

Communicator

Great idea, and it works!

I added the following extra single value in the same panel. Even though the module is hidden (due to the depends token missing), it still refreshes the search.

<single depends="$nothing$">
    <search id="rmiperfSearch">
        <query>index=sovereign sourcetype=rmiperf action=lookup_startup | stats latest(action_time) as action_time by host | rangemap field=action_time low=0-10000 elevated=10001-30000 severe=30001-100000 default=severe</query>
        <earliest>-3m</earliest>
        <latest>now</latest>
    </search>
    <option name="linkView">search</option>
    <option name="drilldown">none</option>
    <option name="refresh.auto.interval">60</option>
    <option name="field">action_time</option>
</single>
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!