Splunk Search

Are there any Search-Switcher Modules for Simple XML out there?

KolGr001
SplunkTrust
SplunkTrust

I am in need of a search-switcher for simple XML. I can't seem to find anything in respect to this out there. If this is not available, does anyone have any ideas on some custom work that could be done to implement this functionality?

Thanks in Advance!

0 Karma
1 Solution

KolGr001
SplunkTrust
SplunkTrust

Good thing I'm pretty cool with a Splunk God 🙂

Here is a "hobo" solution, bro:

Not-so-brief Background -

We needed a solution where we could go back in time greater than yesterday to view various transactional-type statistics (please let me explain :0) ). What was happening was we had a summary index storing this transactional data. Once the scheduled job ran to pick up the latest data, it would be stored in the summary index.

There could be a few problems here - it could be possible that when the job ran the transaction wasn't exactly completed yet, or it could have gone in to some NOT success status where it would later need to be reprocessed. Although that transaction was reprocessed later on, we could not tell from our dashboard that it was - so some success rates would stay low or transactions considered in progress would just sit in a processing bucket with no end in sight 😞 We needed to create an additional summary that acted as a transactional reconcile-er!...? This way we could obtain the absolute latest status of our transactions and display more accurate stats. Then we sort of ran in to this issue where we were overloading our dis usage limit by running this search longer than -24h@h:

 Search auto-finalized after disk usage limit (100MB) reached.

THE SOLUTION!

Essentially we can create mini searches which are used as tokens for a specific period of time. Here is the sample solution in simple XML -

<form>
    <label>Hobo_SearchSwapper</label>
    <fieldset autoRun="true" submitButton="false">
        <input type="dropdown" token="tkn_base_timerange_search" searchWhenChanged="true">
            <label>Select a timerange:</label>
            <default>Last 60 minutes</default>
            <choice value="index=main earliest=-60m | timechart span=2m  count by host">Last 60 minutes</choice>
            <choice value="index=main earliest=-4h | timechart span=15m count by host">Last 4 hours</choice>    
            <choice value="index=summary earliest=-14h | timechart span=30m count by host">Last 24 hours</choice>  
            <choice value="index=summary earliest=7d | timechart span=2h count by host">Last 7 days</choice>            
        </input>
    </fieldset>
    <row>
        <chart>
            <searchString>$tkn_base_timerange_search$</searchString>
            <option name="charting.chart">line</option>
        </chart>
    </row>
</form>

Hope this helps anyone interested in this use case!

View solution in original post

KolGr001
SplunkTrust
SplunkTrust

Good thing I'm pretty cool with a Splunk God 🙂

Here is a "hobo" solution, bro:

Not-so-brief Background -

We needed a solution where we could go back in time greater than yesterday to view various transactional-type statistics (please let me explain :0) ). What was happening was we had a summary index storing this transactional data. Once the scheduled job ran to pick up the latest data, it would be stored in the summary index.

There could be a few problems here - it could be possible that when the job ran the transaction wasn't exactly completed yet, or it could have gone in to some NOT success status where it would later need to be reprocessed. Although that transaction was reprocessed later on, we could not tell from our dashboard that it was - so some success rates would stay low or transactions considered in progress would just sit in a processing bucket with no end in sight 😞 We needed to create an additional summary that acted as a transactional reconcile-er!...? This way we could obtain the absolute latest status of our transactions and display more accurate stats. Then we sort of ran in to this issue where we were overloading our dis usage limit by running this search longer than -24h@h:

 Search auto-finalized after disk usage limit (100MB) reached.

THE SOLUTION!

Essentially we can create mini searches which are used as tokens for a specific period of time. Here is the sample solution in simple XML -

<form>
    <label>Hobo_SearchSwapper</label>
    <fieldset autoRun="true" submitButton="false">
        <input type="dropdown" token="tkn_base_timerange_search" searchWhenChanged="true">
            <label>Select a timerange:</label>
            <default>Last 60 minutes</default>
            <choice value="index=main earliest=-60m | timechart span=2m  count by host">Last 60 minutes</choice>
            <choice value="index=main earliest=-4h | timechart span=15m count by host">Last 4 hours</choice>    
            <choice value="index=summary earliest=-14h | timechart span=30m count by host">Last 24 hours</choice>  
            <choice value="index=summary earliest=7d | timechart span=2h count by host">Last 7 days</choice>            
        </input>
    </fieldset>
    <row>
        <chart>
            <searchString>$tkn_base_timerange_search$</searchString>
            <option name="charting.chart">line</option>
        </chart>
    </row>
</form>

Hope this helps anyone interested in this use case!

View solution in original post

Raghav2384
Motivator

Could you please provide more on search-switching requirement? There's a simple XML example in 6.2.x dashboard example app called link-switcher.

It allows you to toggle for multiple chart views in one panel.

0 Karma

Tune In & Win!

Don't miss out on your
chance to take home free
prizes by helping our players
save the Splunk Cloudom!

Dungeons & Data
Monsters: Splunk O11y
Day Editions Games
stream live:
5/4 at 6:30pm PST
5/5 at 7:00pm PST
on