Dashboards & Visualizations

how to display pattern tab result in report in dashboard?

cyberportnoc
Explorer

how to display pattern tab result in report in dashboard?
i click save as report and find no option about showing pattern tab result

is there any command equivalent to show the same result as pattern tab

Tags (1)
0 Karma
1 Solution

s2_splunk
Splunk Employee
Splunk Employee

There is no direct way to display the patterns tab the way it is formatted in the Search and Reporting app in a dashboard.
But... the Patterns tab is produced by running a cluster command under the covers. You can check the _audit index after selecting the patterns tab and you will see something like this (I used a search on the _internal index when selecting patterns):
index=_internal | cluster t=0.3 labelonly=true labelfield=_patterns match=termset | findkeywords labelfield=_patterns dedup=true
You can start here and format the output to satisfy your display needs.

View solution in original post

edoardo_vicendo
Contributor

Just adding one note because I have seen this discussion as I was looking for the same answer.

Going in Settings >> Monitoring Console >> Search >> Activity >> Search Usage Statistics: Instance and then selecting the option "Only Ad Hoc Searches" = NO, you can find the search triggered by Splunk when you click on "Pattern" tab:

| loadjob 1233886270.2 events=true require_finished=false | cluster t=0.8 labelonly=true labelfield=_patterns match=termset | findkeywords labelfield=_patterns dedup=true

this is exactly what is done in the background (where 1233886270.2 is the search job id)

Then if you want to recreate the same result, approximately you have to attach this to your search

| cluster t=0.8 labelonly=t showcount=t labelfield=_patterns match=termset
| findkeywords labelfield=_patterns dedup=true
| search confidence>0
| fields - search
| sort -percentMatched

Just wondering/checking how exactly it is sorting the results, and how is calculating the number of events matched

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

There is no direct way to display the patterns tab the way it is formatted in the Search and Reporting app in a dashboard.
But... the Patterns tab is produced by running a cluster command under the covers. You can check the _audit index after selecting the patterns tab and you will see something like this (I used a search on the _internal index when selecting patterns):
index=_internal | cluster t=0.3 labelonly=true labelfield=_patterns match=termset | findkeywords labelfield=_patterns dedup=true
You can start here and format the output to satisfy your display needs.

cyberportnoc
Explorer

is there any updated in your answer?

after tried to append index=_audit or index=_internal , still can not create the same result as pattern tab

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

I was using the internal index as an example to show you what is being executed under the covers by the patterns tab. You would obviously have to use the index that contains your data for which you want to identify the patterns. Which index contains the data for your sourcetype=access*? That's the one you need to search. If it's searched by default, just remove index=_internal

Your results from 2 days ago were different, because you looked at the patterns tab for a search over your data, but added index=_internal to the search that used the cluster command. The timeframes were slightly different as well.

0 Karma

cyberportnoc
Explorer
0 Karma

cyberportnoc
Explorer

find found no _audit index in pattern tab or search events tab, where is it?

0 Karma

cyberportnoc
Explorer

i append index=_internal or index=_audit

https://drive.google.com/file/d/0Bxs_ao6uuBDUd2xMcXdyY3JkR1E/view?usp=sharing
https://drive.google.com/file/d/0Bxs_ao6uuBDUOWdnYXl3LXhpSzA/view?usp=sharing

but no result

autojoin='1' buckets=300 ttl=600 max_count=500000 maxtime=8640000 enable_lookups='1'

0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...