how to display pattern tab result in report in dashboard?
i click save as report and find no option about showing pattern tab result
is there any command equivalent to show the same result as pattern tab
There is no direct way to display the patterns tab the way it is formatted in the Search and Reporting app in a dashboard.
But... the Patterns tab is produced by running a cluster command under the covers. You can check the _audit index after selecting the patterns tab and you will see something like this (I used a search on the _internal index when selecting patterns):
index=_internal | cluster t=0.3 labelonly=true labelfield=_patterns match=termset | findkeywords labelfield=_patterns dedup=true
You can start here and format the output to satisfy your display needs.
Just adding one note because I have seen this discussion as I was looking for the same answer.
Going in Settings >> Monitoring Console >> Search >> Activity >> Search Usage Statistics: Instance and then selecting the option "Only Ad Hoc Searches" = NO, you can find the search triggered by Splunk when you click on "Pattern" tab:
| loadjob 1233886270.2 events=true require_finished=false | cluster t=0.8 labelonly=true labelfield=_patterns match=termset | findkeywords labelfield=_patterns dedup=true
this is exactly what is done in the background (where 1233886270.2 is the search job id)
Then if you want to recreate the same result, approximately you have to attach this to your search
| cluster t=0.8 labelonly=t showcount=t labelfield=_patterns match=termset
| findkeywords labelfield=_patterns dedup=true
| search confidence>0
| fields - search
| sort -percentMatched
Just wondering/checking how exactly it is sorting the results, and how is calculating the number of events matched
There is no direct way to display the patterns tab the way it is formatted in the Search and Reporting app in a dashboard.
But... the Patterns tab is produced by running a cluster command under the covers. You can check the _audit index after selecting the patterns tab and you will see something like this (I used a search on the _internal index when selecting patterns):
index=_internal | cluster t=0.3 labelonly=true labelfield=_patterns match=termset | findkeywords labelfield=_patterns dedup=true
You can start here and format the output to satisfy your display needs.
is there any updated in your answer?
after tried to append index=_audit or index=_internal , still can not create the same result as pattern tab
I was using the internal index as an example to show you what is being executed under the covers by the patterns tab. You would obviously have to use the index that contains your data for which you want to identify the patterns. Which index contains the data for your sourcetype=access*? That's the one you need to search. If it's searched by default, just remove index=_internal
Your results from 2 days ago were different, because you looked at the patterns tab for a search over your data, but added index=_internal to the search that used the cluster command. The timeframes were slightly different as well.
result are different from pattern tab after append this command
https://drive.google.com/file/d/0Bxs_ao6uuBDUR1g1djdIZHVhejQ/view?usp=sharing
https://drive.google.com/file/d/0Bxs_ao6uuBDURUhHdDNlUEh3RUU/view?usp=sharing
find found no _audit index in pattern tab or search events tab, where is it?
i append index=_internal or index=_audit
https://drive.google.com/file/d/0Bxs_ao6uuBDUd2xMcXdyY3JkR1E/view?usp=sharing
https://drive.google.com/file/d/0Bxs_ao6uuBDUOWdnYXl3LXhpSzA/view?usp=sharing
but no result
autojoin='1' buckets=300 ttl=600 max_count=500000 maxtime=8640000 enable_lookups='1'