Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Time range problem in advance XML dashboard (timerangepicker)

ashabc
Contributor
‎11-11-2013 10:12 PM

I have a dashboard which uses advance xml for web proxy log analysis (ironport). It allows to select the time range from the drop down list. Everything seems to be working OK except when I select the date range for more than 7 days e.g. last 30 days or a specific date range, it still only displays last 7 days worth of data/chart.

However, if I take the same query in search (not dashboard), it shows/displays correct data/chart. So I must be doing something strange in XML. I have copied relevant part of the XML that uses TimeRangePicker.

Can anyone help me to point out what I may be doing wrong?

<module name="TimeRangePicker" layoutPanel="panel_row1_col1_grp2">
            <param name="searchWhenChanged">false</param>
            <module name="SubmitButton">
                <param name="allowSoftSubmit">false</param>
                <param name="label">Search</param>
                <module name="JobStatus" layoutPanel="viewHeader">
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎11-12-2013 03:03 AM

Post processing has a limit of 10000 events, so if your base search generates more results than that they will never make it to the postprocess modules. You should try to aggregate your results in your base search so that the data passed on from it doesn't surpass this 1000 events limit. If this is not possible, you will need to convert your postprocess searches to individual searches instead. See more here: http://answers.splunk.com/answers/62534/hiddenpostprocess-silently-discarding-results

View solution in original post

Reply
Solved! Jump to solution

ashabc
Contributor
‎11-12-2013 06:50 PM

I ended up increasing the maxcount to 100000 in hiddensearch (100000). I know its not the best practice, but for this dashboard, I don't have much option, it seems.

Thank you for you help Ayn.

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎11-12-2013 03:03 AM

Post processing has a limit of 10000 events, so if your base search generates more results than that they will never make it to the postprocess modules. You should try to aggregate your results in your base search so that the data passed on from it doesn't surpass this 1000 events limit. If this is not possible, you will need to convert your postprocess searches to individual searches instead. See more here: http://answers.splunk.com/answers/62534/hiddenpostprocess-silently-discarding-results

Reply
Solved! Jump to solution

ashabc
Contributor
‎11-12-2013 01:48 AM

top limit=50 s_hostname showperc=0

top limit=50 s_hostname showperc=0

rex field=s_hostname mode=sed "s/^www.*?\.//g" | transaction maxevents=-1 keepevicted=true s_hostname maxpause=5m maxspan=1h | stats count by s_hostname | rename s_hostname as Domain count as Sessions | sort 50 –Sessions

top limit=50 s_hostname | sort desc

0 Karma
Reply
Solved! Jump to solution

ashabc
Contributor
‎11-12-2013 01:48 AM

stats count by usage | sort limit=10 count desc | rename count as Hits

stats count by x_webcat_code_full |rename x_webcat_code_full AS category |sort limit=10 count desc | rename count as Hits

timechart count by usage | fields – NULL

timechart count by x_webcat_code_full | fields – NULL

top limit=10 src_ip

eval MegaByte=sc_bytes/1048576 | stats max(MegaByte) by s_hostname | sort limit=10 max(MegaByte) desc

0 Karma
Reply
Solved! Jump to solution

ashabc
Contributor
‎11-12-2013 01:47 AM

eval wd=lower(date_wday) | eval sort_field=case(wd=="monday",1, wd=="tuesday",2, wd=="wednesday",3, wd=="thursday",4, wd=="friday",5, wd=="saturday",6, wd=="sunday",7) | chart count over sort_field by usage | eval sort_field = case(sort_field=1,"Monday", sort_field=2,"Tuesday", sort_field=3,"Wednesday", sort_field=4,"Thursday", sort_field=5,"Friday", sort_field=6,"Saturday", sort_field=7,"Sunday")

bucket _time span=1h | eval hour=strftime(_time,"%H:00") | chart count over hour by usage

top limit=10 usage

top limit=10 x_webcat_code_full

0 Karma
Reply
Solved! Jump to solution

ashabc
Contributor
‎11-12-2013 01:46 AM

Base search

eventtype=ironport_proxy loginid="$loginid$" s_hostname!="-" | fields date_wday date_hour src_ip s_hostname sc_bytes usage x_webcat_code_full "Display Name"

Post process searches are:

table "Display Name

stats max(_time) as first_time min(_time) as last_time | eval time_period = tostring(strftime(last_time, "%d/%m/%y %I:%M %p")) + " to " + tostring(strftime(first_time, "%d/%m/%y %I:%M %p")) | fields - first_time last_time

timechart count by usage

0 Karma
Reply
Solved! Jump to solution

ashabc
Contributor
‎11-12-2013 01:34 AM

Thank you Ayn for taking time to respond to my post.

I think the problem is that the base search is not providing all data inputs to postprocesssearch as described in

http://docs.splunk.com/Documentation/Splunk/4.1.5/Developer/PostProcess

Here is my search string:

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎11-12-2013 12:06 AM

I think the problem lies not in this section of the XML but rather in the search you're using. Could you please paste the search part as well, please.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...