Solved: Time range problem in advance XML dashboard (timer...

ashabc · ‎11-11-2013

I have a dashboard which uses advance xml for web proxy log analysis (ironport). It allows to select the time range from the drop down list. Everything seems to be working OK except when I select the date range for more than 7 days e.g. last 30 days or a specific date range, it still only displays last 7 days worth of data/chart.

However, if I take the same query in search (not dashboard), it shows/displays correct data/chart. So I must be doing something strange in XML. I have copied relevant part of the XML that uses TimeRangePicker.

Can anyone help me to point out what I may be doing wrong?

<module name="TimeRangePicker" layoutPanel="panel_row1_col1_grp2">
            <param name="searchWhenChanged">false</param>
            <module name="SubmitButton">
                <param name="allowSoftSubmit">false</param>
                <param name="label">Search</param>
                <module name="JobStatus" layoutPanel="viewHeader">

Ayn · ‎11-12-2013

Post processing has a limit of 10000 events, so if your base search generates more results than that they will never make it to the postprocess modules. You should try to aggregate your results in your base search so that the data passed on from it doesn't surpass this 1000 events limit. If this is not possible, you will need to convert your postprocess searches to individual searches instead. See more here: http://answers.splunk.com/answers/62534/hiddenpostprocess-silently-discarding-results

View solution in original post

ashabc · ‎11-12-2013

I ended up increasing the maxcount to 100000 in hiddensearch (

Thank you for you help Ayn.

Ayn · ‎11-12-2013

Post processing has a limit of 10000 events, so if your base search generates more results than that they will never make it to the postprocess modules. You should try to aggregate your results in your base search so that the data passed on from it doesn't surpass this 1000 events limit. If this is not possible, you will need to convert your postprocess searches to individual searches instead. See more here: http://answers.splunk.com/answers/62534/hiddenpostprocess-silently-discarding-results

ashabc · ‎11-12-2013

top limit=50 s_hostname showperc=0

rex field=s_hostname mode=sed "s/^www.*?\.//g" | transaction maxevents=-1 keepevicted=true s_hostname maxpause=5m maxspan=1h | stats count by s_hostname | rename s_hostname as Domain count as Sessions | sort 50 –Sessions

top limit=50 s_hostname | sort desc

ashabc · ‎11-12-2013

stats count by usage | sort limit=10 count desc | rename count as Hits

stats count by x_webcat_code_full |rename x_webcat_code_full AS category |sort limit=10 count desc | rename count as Hits

timechart count by usage | fields – NULL

timechart count by x_webcat_code_full | fields – NULL

top limit=10 src_ip

eval MegaByte=sc_bytes/1048576 | stats max(MegaByte) by s_hostname | sort limit=10 max(MegaByte) desc

ashabc · ‎11-12-2013

eval wd=lower(date_wday) | eval sort_field=case(wd=="monday",1, wd=="tuesday",2, wd=="wednesday",3, wd=="thursday",4, wd=="friday",5, wd=="saturday",6, wd=="sunday",7) | chart count over sort_field by usage | eval sort_field = case(sort_field=1,"Monday", sort_field=2,"Tuesday", sort_field=3,"Wednesday", sort_field=4,"Thursday", sort_field=5,"Friday", sort_field=6,"Saturday", sort_field=7,"Sunday")

bucket _time span=1h | eval hour=strftime(_time,"%H:00") | chart count over hour by usage

top limit=10 usage

top limit=10 x_webcat_code_full

ashabc · ‎11-12-2013

Base search

eventtype=ironport_proxy loginid="$loginid$" s_hostname!="-" | fields date_wday date_hour src_ip s_hostname sc_bytes usage x_webcat_code_full "Display Name"

Post process searches are:

table "Display Name

stats max(_time) as first_time min(_time) as last_time | eval time_period = tostring(strftime(last_time, "%d/%m/%y %I:%M %p")) + " to " + tostring(strftime(first_time, "%d/%m/%y %I:%M %p")) | fields - first_time last_time

timechart count by usage

ashabc · ‎11-12-2013

Thank you Ayn for taking time to respond to my post.

I think the problem is that the base search is not providing all data inputs to postprocesssearch as described in

http://docs.splunk.com/Documentation/Splunk/4.1.5/Developer/PostProcess

Here is my search string:

Ayn · ‎11-12-2013

I think the problem lies not in this section of the XML but rather in the search you're using. Could you please paste the search part as well, please.

Time range problem in advance XML dashboard (timerangepicker)

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation