Dashboards & Visualizations

Time range problem in advance XML dashboard (timerangepicker)

Contributor

I have a dashboard which uses advance xml for web proxy log analysis (ironport). It allows to select the time range from the drop down list. Everything seems to be working OK except when I select the date range for more than 7 days e.g. last 30 days or a specific date range, it still only displays last 7 days worth of data/chart.

However, if I take the same query in search (not dashboard), it shows/displays correct data/chart. So I must be doing something strange in XML. I have copied relevant part of the XML that uses TimeRangePicker.

Can anyone help me to point out what I may be doing wrong?

<module name="TimeRangePicker" layoutPanel="panel_row1_col1_grp2">
            <param name="searchWhenChanged">false</param>
            <module name="SubmitButton">
                <param name="allowSoftSubmit">false</param>
                <param name="label">Search</param>
                <module name="JobStatus" layoutPanel="viewHeader">
1 Solution

Legend

Post processing has a limit of 10000 events, so if your base search generates more results than that they will never make it to the postprocess modules. You should try to aggregate your results in your base search so that the data passed on from it doesn't surpass this 1000 events limit. If this is not possible, you will need to convert your postprocess searches to individual searches instead. See more here: http://answers.splunk.com/answers/62534/hiddenpostprocess-silently-discarding-results

View solution in original post

Contributor

I ended up increasing the maxcount to 100000 in hiddensearch (100000). I know its not the best practice, but for this dashboard, I don't have much option, it seems.

Thank you for you help Ayn.

0 Karma

Legend

Post processing has a limit of 10000 events, so if your base search generates more results than that they will never make it to the postprocess modules. You should try to aggregate your results in your base search so that the data passed on from it doesn't surpass this 1000 events limit. If this is not possible, you will need to convert your postprocess searches to individual searches instead. See more here: http://answers.splunk.com/answers/62534/hiddenpostprocess-silently-discarding-results

View solution in original post

Contributor

top limit=50 s_hostname showperc=0

top limit=50 s_hostname showperc=0

rex field=shostname mode=sed "s/^www.*?\.//g" | transaction maxevents=-1 keepevicted=true shostname maxpause=5m maxspan=1h | stats count by shostname | rename shostname as Domain count as Sessions | sort 50 –Sessions

top limit=50 s_hostname | sort desc

0 Karma

Contributor

stats count by usage | sort limit=10 count desc | rename count as Hits

stats count by xwebcatcodefull |rename xwebcatcodefull AS category |sort limit=10 count desc | rename count as Hits

timechart count by usage | fields – NULL

timechart count by xwebcatcode_full | fields – NULL

top limit=10 src_ip

eval MegaByte=scbytes/1048576 | stats max(MegaByte) by shostname | sort limit=10 max(MegaByte) desc

0 Karma

Contributor

eval wd=lower(datewday) | eval sortfield=case(wd=="monday",1, wd=="tuesday",2, wd=="wednesday",3, wd=="thursday",4, wd=="friday",5, wd=="saturday",6, wd=="sunday",7) | chart count over sortfield by usage | eval sortfield = case(sortfield=1,"Monday", sortfield=2,"Tuesday", sortfield=3,"Wednesday", sortfield=4,"Thursday", sortfield=5,"Friday", sortfield=6,"Saturday", sort_field=7,"Sunday")

bucket time span=1h | eval hour=strftime(time,"%H:00") | chart count over hour by usage

top limit=10 usage

top limit=10 xwebcatcode_full

0 Karma

Contributor

Base search

eventtype=ironportproxy loginid="$loginid$" shostname!="-" | fields datewday datehour srcip shostname scbytes usage xwebcatcodefull "Display Name"

Post process searches are:

table "Display Name

stats max(time) as firsttime min(time) as lasttime | eval timeperiod = tostring(strftime(lasttime, "%d/%m/%y %I:%M %p")) + " to " + tostring(strftime(firsttime, "%d/%m/%y %I:%M %p")) | fields - firsttime last_time

timechart count by usage

0 Karma

Contributor

Thank you Ayn for taking time to respond to my post.

I think the problem is that the base search is not providing all data inputs to postprocesssearch as described in

http://docs.splunk.com/Documentation/Splunk/4.1.5/Developer/PostProcess

Here is my search string:

0 Karma

Legend

I think the problem lies not in this section of the XML but rather in the search you're using. Could you please paste the search part as well, please.

0 Karma