- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Real time dasboard and Saved Search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Real time dasboard and Saved Search
Can I use a Saved Search in a dashboard and display it in Real Time?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. Just make sure when you save that search have the time range set to Real-Time and the desired window of time you want. If an existing search and you want to change the time range just go into manager - searches & reports - select the search and under Start Time you should have something like rt-1m and under Finish Time: rt.
Then you can build a simple dashboard and use that saved search. Here is a link on building simple dashboards.
http://www.splunk.com/base/Documentation/latest/User/CreateSimpleDashboards
Travis.
Ok this sounds like you should try building an advanced dashboard.
http://www.splunk.com/base/Documentation/4.1.3/Developer/AdvancedDashboard
Below is an example of what I think you could use. This will give you a TimeRange picker that will control the SavedSearch. Let me know if this helps.
<view template="dashboard.html" refresh="600">
<label>Title</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module><!-- /message/AppBar/AccountBar -->
<module name="TimeRangePicker" layoutPanel="panel_row1_col1">
<param name="searchWhenChanged">True</param>
<module name="HiddenSavedSearch" layoutPanel="panel_row1_col1" group="Title" autoRun="true">
<param name="savedSearch">(your saved search here)</param>
<module name="Paginator">
<param name="count">10</param>
<param name="entityName">results</param>
<param name="maxPages">10</param>
<module name="SimpleResultsTable">
</module><!-- /SimpleResultsTable -->
</module><!-- /Paginator-->
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
<param name="popup">True</param>
</module><!-- /ViewRedirectorLink-->
</module><!-- /HiddenSavedSearch -->
</module><!-- /TimeRangePicker -->
</view>
Travis.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try throwing a
If nothing else you could always clone/copy the saved search and use that copy to run your dashboard.
Travis.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Travis. It seems to work fine exect I get a big red rubbon error: "Configuration error - HiddenSavedSearch has both parent modules like TimeRangePicker, and also a dispatched job from the scheduler."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hell Travis, the problem is that we need also to schedule this search for report delivery. If a use rt, I cannot schedule it. Do you know if there is a way in a dashboard to have the parameters take precedence over the one in the Saved Search?
Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts
Video | Tom’s Smartness Journey Continues
3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?
