Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

simple xml dashboard panel with time selection and tstats search, doesn't always comply with time selection

monzy
Communicator
‎10-21-2013 03:26 PM

when using tstats/TSIDX and when using pivot/datamodel, the dashboard panels don't seem to heed the time range set in the time range picker for the dashboard. This doesn't happen all the time, but it happens a lot. and it happens in multiple dashboards. e.g. https://github.com/PaloAltoNetworks-BD/SplunkforPaloAltoNetworks/blob/develop/default/data/ui/views/...

If I add the following line to the WHERE clause of the tstats command, the problem goes away:

WHERE earliest=$earliest$ latest=$latest$

I checked the Splunk 6 known issues page but didn’t see anything about this. is this a bug or this 'is' the appropriate way to use tstats ?

i appreciate your insights.

monzy

Reply

ziegfried
Influencer
‎10-21-2013 05:24 PM

The default value in the form of

<input type="time" searchWhenChanged="true">
    <default>
        <earliestTime>-60m</earliestTime>
        <latestTime>now</latestTime>
    </default>
</input>

is valid as of Splunk 6 and is also listed in view.rnc. Major benefit is that this notation allows to specify any time range, not just preconfigured ones.

According to the screenshot the error seems to occur in the <populatingSearch> of a dropdown input. Have you tried specifying the timerange explicitly there?

  <populatingSearch fieldForValue="app" fieldForLabel="app_with_count" earliest="$earliest$" latest="$latest$">
    | tstats count(app) as count FROM pan_traffic WHERE groupby app
    | eval app_with_count = app . " (" . count . ")"
   </populatingSearch>
0 Karma
Reply

btorresgil
Builder
‎10-21-2013 08:42 PM

After further investigation, it's not just dashboard timepickers that are being ignored. If I go to Pivot and put 'All time' or '2 seconds' I get the same results, which is incorrect. Also, it doesn't affect every server with Splunk, only some (I have one where it is currently reproduced).

I also observed that the data model on that server is accelerated, but under the acceleration info it says 'Size on Disk' is '0.00MB', even though it says the status is 100% completed. Perhaps the datamodel is getting corrupted somehow?

0 Karma
Reply

btorresgil
Builder
‎10-21-2013 08:06 PM

Thanks, I tried adding the earliest and latest parameters to the populatingSearch element, but it didn't change anything. Still getting the same error.

Keep in mind that the error I'm seeing is not on the dashboard in the original question, it's actually on this dashboard which leverages the Data Model:
https://github.com/PaloAltoNetworks-BD/SplunkforPaloAltoNetworks/blob/feature/datamodel/default/data...

I don't know if the error in the screenshot is related to the original problem which is the dashboard timepicker is being ignored.

0 Karma
Reply

hazekamp
Builder
‎10-21-2013 03:48 PM

Monzy,

A few things to try/verify:

One. Per the view.rnc for simple xml "only preset values defined in times.conf are recognized". Therefore your specification of:


<input type="time" searchWhenChanged="true">
<default>
<earliestTime>-60m</earliestTime>
<latestTime>now</latestTime>
</default>
</input>

Could be:

<input type="time">
<default>Last 60 minutes</default>
</input>

Two. You do not have to specify earliest/latest in each of the panels or in the where clauses.


<earliestTime>$earliest$</earliestTime>
<latestTime>$latest$</latestTime>

It looks like things should work after that (hopefully). You'll also want to use "where * $token1$ $token2$...", this way if all tokens are not populated you still have a valide "where" clause.

David

Reply

btorresgil
Builder
‎10-21-2013 04:58 PM

I just tried changing the to a default tag like you suggested, and I tried removing the earliestTime and latestTime tags from one of the panels, but I see the same behavior.

0 Karma
Reply

btorresgil
Builder
‎10-21-2013 04:46 PM

I don't think these lines are problems because they were created by Splunk when the dashboard was created. So if those lines are wrong, then Splunk is creating them wrong.

The example link above may be a bad example because it has a workaround for the problem in it. Here is an example that consistently manifests the issue:
https://github.com/PaloAltoNetworks-BD/SplunkforPaloAltoNetworks/blob/feature/datamodel/default/data...

Here is an error I get when accessing that dashboard, and the inspection info:
https://paloaltonetworks.box.com/splunk-timerange-issue

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...