Dashboards & Visualizations

TimeRangePicker with HiddenPostProcess

asmall
Explorer

I created a dashboard using the TimeRangePicker and a hidden search. I segmented that Hidden Search using HiddenPostProcess to display single value charts taken of different fields taken from the HiddenSearch. However, when the time range is changed using the picker, the HiddenPostProcess fails to update the single value charts displayed. I believe this to be a bug. I am using the x64 version of Splunk 5.0.2.

nick
Explorer

There's a good chance this is simply "death by AutoRun".

When you use autoRun="True", you put one of them up at the top of the view, such that it's sufficiently high that if a push were to cascade down from there, it would touch all the points where you need searches dispatched.

autoRun is not an attribute on any particular module - rather it is a flag to the overall module framework - "start pushing data down through all the modules, from HERE".

What happens if you have more than autoRun="true" is you have a peculiar little race. Sometimes it may work, or sometimes you'll end up with a bunch of modules "seeming to not react to upstream changes properly". What happens if you have TONS of autoRun="True" is that things just get more and more evil.

I would definitely start with that - take away every one of them except the one on the very topmost HiddenSavedSearch. And do not put autoRun="False" because this is meaningless and it will only confuse you or some other human later.

If removing the extra autoRun's doesn't fix it then leave a comment and I will update this answer.

UPDATE: I'm afraid I don't know what's wrong. I've duplicated your view except for changing it to run against index=_internal data, and when I remove the autoRun's it works fine for me. =/

Maybe you can take this XML below and run it on your system and find the difference.

<module name="TimeRangePicker" layoutPanel="panel_row1_col1" autoRun="True">
  <param name="default">Last 24 hours</param>
  <param name="searchWhenChanged">True</param>

  <module name="HiddenSearch" layoutPanel="panel_row2_col1">
    <param name="search">index=_internal source=*metrics.log group=per_sourcetype_thruput | stats max(eps) as maxEps sum(kb) as sumKb</param>

    <module name="JobProgressIndicator"/>

    <module name="HiddenPostProcess" layoutPanel="panel_row2_col1_grp1" group="Session Stats" >
      <param name="search">
        | eval range="remote"
      </param>
      <module name="SingleValue">
        <param name="field">maxEps</param>
        <param name="classField">range</param>
        <param name="afterLabel">max eps</param>
        <param name="format">count</param>
      </module>
    </module>
    <module name="HiddenPostProcess" layoutPanel="panel_row2_col1_grp2" group="Session Stats" >
      <param name="search">
        | eval range="user"
      </param>
      <module name="SingleValue">
        <param name="field">sumKb</param>
        <param name="classField">range</param>
        <param name="afterLabel">total KB</param>
        <param name="format">count</param>
      </module>
    </module>

  </module>
</module>
0 Karma

asmall
Explorer

I have removed the autoRun="True" statement from the HiddenSearch module and it still doesn't update after changing the time range.

0 Karma

nick
Explorer

OK. And just for thoroughness, make sure to take it off the HiddenSearch as well. Leave only the one at the top on the TimeRangePicker, and in general leave only one total. I'll take another look though. Maybe there's a SingleValue bug happening.

0 Karma

asmall
Explorer

No, that doesn't fix anything. However, I should include for historical reference that though I did try your suggestion today, previously, I added the autoRun="True" statements to the HiddenPostProcess sections when they failed to update after changing the time frame on the TimeRangePicker. Originally, my code didn't have the autoRun="True" statements in the HiddenPostProcess sections at all.

0 Karma

asmall
Explorer

I have posted my syntax to pastebin: http://pastebin.com/mcjXifH8

0 Karma

sideview
SplunkTrust
SplunkTrust

Can you post the XML here or put it up on pastebin?

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...