Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Problems controlling time range in dashboards
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problems controlling time range in dashboards
I saved the following search without specifying a default start and end time range:
sourcetype=ossim "Event received" ((plugin_id>=1001 AND plugin_id<=1131) OR plugin_id=1597) | lookup ossim_plugins plugin_id OUTPUT plugin_name | timechart count by plugin_name
I have defined the following two charts in my dashboard. The first chart looks at the results of the search from the last hour. The second looks at the results of the search over 24 hours:
<row>
<chart>
<title>IDS Events by Plugin (60 Minutes)</title>
<searchName>IDS Events by Plugin</searchName>
<earliestTime>-1h</earliestTime>
<option name="charting.chart">area</option>
<option name="charting.legend.placement">right</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart.nullValueMode">connect</option>
</chart>
</row>
<row>
<chart>
<title>IDS Events by Plugin (24 Hours)</title>
<searchName>IDS Events by Plugin</searchName>
<earliestTime>-1d</earliestTime>
<option name="charting.chart">area</option>
<option name="charting.legend.placement">right</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart.nullValueMode">connect</option>
</chart>
When I open the dashboard, neither chart ever finishes loading. Both of them start with a view of 60 minutes. After a few seconds, it shows 24 hours. Then it shows a week. Eventually, I get the following error message:
Splunkd daemon is not responding: ('[Errno 10054] An existing connection was forcibly closed by the remote host',)
I tried cloning the saved search and have one search defined with a -1h start time and the other search with a -1d start time. Those dashboards display properly. I don't want to have to create a saved search for each time range I want to look at in a dashboard. I want a single saved search whose time window can be controlled by the dashboard XML.
Is this a bug or am I doing something wrong?
Thx.
Craig
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're using the simplified XML, and the outer tag is <dashboard>, so you're using the dashboard flavor of simplified XML.
1) if you use <searchName>, then the timerange will come from the savedsearch, a lack of a timerange is considered 'all time' implicitly. And nothing will pay any attention to your <earliestTime> sadly. This is one of the frustrating things about simplified XML - it often won't tell you when your configuration is invalid or when parts of it are being ignored. As an example put <monkey/> in the xml anywhere and it'll be perfectly happy although of course this does nothing.
2) I dont think that the <dashboard> flavor can have the configuration you desire, where it puts the TimeRangePicker module above the chart, and the user can thus set the timerange. However the <form> flavor of simplified XML certainly can. All in all though I recommend going straight to the advanced XML. The 'simplified' layer is just a kind of macro to the advanced syntax. Download the "UI Examples for 4.1." app from splunkbase (In splunk go to app > launcher > browse other apps > "UI Examples for 4.1", install). Read through the example views in that app. The configuration you want at the end of the day is quite simple and the XML is not much more complicated than the equivalent <form> syntax.
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
