Splunk Search

Are there any Search-Switcher Modules for Simple XML out there?

_gkollias
SplunkTrust
SplunkTrust

I am in need of a search-switcher for simple XML. I can't seem to find anything in respect to this out there. If this is not available, does anyone have any ideas on some custom work that could be done to implement this functionality?

Thanks in Advance!

0 Karma
1 Solution

_gkollias
SplunkTrust
SplunkTrust

Good thing I'm pretty cool with a Splunk God 🙂

Here is a "hobo" solution, bro:

Not-so-brief Background -

We needed a solution where we could go back in time greater than yesterday to view various transactional-type statistics (please let me explain :0) ). What was happening was we had a summary index storing this transactional data. Once the scheduled job ran to pick up the latest data, it would be stored in the summary index.

There could be a few problems here - it could be possible that when the job ran the transaction wasn't exactly completed yet, or it could have gone in to some NOT success status where it would later need to be reprocessed. Although that transaction was reprocessed later on, we could not tell from our dashboard that it was - so some success rates would stay low or transactions considered in progress would just sit in a processing bucket with no end in sight 😞 We needed to create an additional summary that acted as a transactional reconcile-er!...? This way we could obtain the absolute latest status of our transactions and display more accurate stats. Then we sort of ran in to this issue where we were overloading our dis usage limit by running this search longer than -24h@h:

 Search auto-finalized after disk usage limit (100MB) reached.

THE SOLUTION!

Essentially we can create mini searches which are used as tokens for a specific period of time. Here is the sample solution in simple XML -

<form>
    <label>Hobo_SearchSwapper</label>
    <fieldset autoRun="true" submitButton="false">
        <input type="dropdown" token="tkn_base_timerange_search" searchWhenChanged="true">
            <label>Select a timerange:</label>
            <default>Last 60 minutes</default>
            <choice value="index=main earliest=-60m | timechart span=2m  count by host">Last 60 minutes</choice>
            <choice value="index=main earliest=-4h | timechart span=15m count by host">Last 4 hours</choice>    
            <choice value="index=summary earliest=-14h | timechart span=30m count by host">Last 24 hours</choice>  
            <choice value="index=summary earliest=7d | timechart span=2h count by host">Last 7 days</choice>            
        </input>
    </fieldset>
    <row>
        <chart>
            <searchString>$tkn_base_timerange_search$</searchString>
            <option name="charting.chart">line</option>
        </chart>
    </row>
</form>

Hope this helps anyone interested in this use case!

View solution in original post

_gkollias
SplunkTrust
SplunkTrust

Good thing I'm pretty cool with a Splunk God 🙂

Here is a "hobo" solution, bro:

Not-so-brief Background -

We needed a solution where we could go back in time greater than yesterday to view various transactional-type statistics (please let me explain :0) ). What was happening was we had a summary index storing this transactional data. Once the scheduled job ran to pick up the latest data, it would be stored in the summary index.

There could be a few problems here - it could be possible that when the job ran the transaction wasn't exactly completed yet, or it could have gone in to some NOT success status where it would later need to be reprocessed. Although that transaction was reprocessed later on, we could not tell from our dashboard that it was - so some success rates would stay low or transactions considered in progress would just sit in a processing bucket with no end in sight 😞 We needed to create an additional summary that acted as a transactional reconcile-er!...? This way we could obtain the absolute latest status of our transactions and display more accurate stats. Then we sort of ran in to this issue where we were overloading our dis usage limit by running this search longer than -24h@h:

 Search auto-finalized after disk usage limit (100MB) reached.

THE SOLUTION!

Essentially we can create mini searches which are used as tokens for a specific period of time. Here is the sample solution in simple XML -

<form>
    <label>Hobo_SearchSwapper</label>
    <fieldset autoRun="true" submitButton="false">
        <input type="dropdown" token="tkn_base_timerange_search" searchWhenChanged="true">
            <label>Select a timerange:</label>
            <default>Last 60 minutes</default>
            <choice value="index=main earliest=-60m | timechart span=2m  count by host">Last 60 minutes</choice>
            <choice value="index=main earliest=-4h | timechart span=15m count by host">Last 4 hours</choice>    
            <choice value="index=summary earliest=-14h | timechart span=30m count by host">Last 24 hours</choice>  
            <choice value="index=summary earliest=7d | timechart span=2h count by host">Last 7 days</choice>            
        </input>
    </fieldset>
    <row>
        <chart>
            <searchString>$tkn_base_timerange_search$</searchString>
            <option name="charting.chart">line</option>
        </chart>
    </row>
</form>

Hope this helps anyone interested in this use case!

Raghav2384
Motivator

Could you please provide more on search-switching requirement? There's a simple XML example in 6.2.x dashboard example app called link-switcher.

It allows you to toggle for multiple chart views in one panel.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...