Splunk Search

Are there any Search-Switcher Modules for Simple XML out there?

_gkollias
Builder

I am in need of a search-switcher for simple XML. I can't seem to find anything in respect to this out there. If this is not available, does anyone have any ideas on some custom work that could be done to implement this functionality?

Thanks in Advance!

0 Karma
1 Solution

_gkollias
Builder

Good thing I'm pretty cool with a Splunk God 🙂

Here is a "hobo" solution, bro:

Not-so-brief Background -

We needed a solution where we could go back in time greater than yesterday to view various transactional-type statistics (please let me explain :0) ). What was happening was we had a summary index storing this transactional data. Once the scheduled job ran to pick up the latest data, it would be stored in the summary index.

There could be a few problems here - it could be possible that when the job ran the transaction wasn't exactly completed yet, or it could have gone in to some NOT success status where it would later need to be reprocessed. Although that transaction was reprocessed later on, we could not tell from our dashboard that it was - so some success rates would stay low or transactions considered in progress would just sit in a processing bucket with no end in sight 😞 We needed to create an additional summary that acted as a transactional reconcile-er!...? This way we could obtain the absolute latest status of our transactions and display more accurate stats. Then we sort of ran in to this issue where we were overloading our dis usage limit by running this search longer than -24h@h:

 Search auto-finalized after disk usage limit (100MB) reached.

THE SOLUTION!

Essentially we can create mini searches which are used as tokens for a specific period of time. Here is the sample solution in simple XML -

<form>
    <label>Hobo_SearchSwapper</label>
    <fieldset autoRun="true" submitButton="false">
        <input type="dropdown" token="tkn_base_timerange_search" searchWhenChanged="true">
            <label>Select a timerange:</label>
            <default>Last 60 minutes</default>
            <choice value="index=main earliest=-60m | timechart span=2m  count by host">Last 60 minutes</choice>
            <choice value="index=main earliest=-4h | timechart span=15m count by host">Last 4 hours</choice>    
            <choice value="index=summary earliest=-14h | timechart span=30m count by host">Last 24 hours</choice>  
            <choice value="index=summary earliest=7d | timechart span=2h count by host">Last 7 days</choice>            
        </input>
    </fieldset>
    <row>
        <chart>
            <searchString>$tkn_base_timerange_search$</searchString>
            <option name="charting.chart">line</option>
        </chart>
    </row>
</form>

Hope this helps anyone interested in this use case!

View solution in original post

_gkollias
Builder

Good thing I'm pretty cool with a Splunk God 🙂

Here is a "hobo" solution, bro:

Not-so-brief Background -

We needed a solution where we could go back in time greater than yesterday to view various transactional-type statistics (please let me explain :0) ). What was happening was we had a summary index storing this transactional data. Once the scheduled job ran to pick up the latest data, it would be stored in the summary index.

There could be a few problems here - it could be possible that when the job ran the transaction wasn't exactly completed yet, or it could have gone in to some NOT success status where it would later need to be reprocessed. Although that transaction was reprocessed later on, we could not tell from our dashboard that it was - so some success rates would stay low or transactions considered in progress would just sit in a processing bucket with no end in sight 😞 We needed to create an additional summary that acted as a transactional reconcile-er!...? This way we could obtain the absolute latest status of our transactions and display more accurate stats. Then we sort of ran in to this issue where we were overloading our dis usage limit by running this search longer than -24h@h:

 Search auto-finalized after disk usage limit (100MB) reached.

THE SOLUTION!

Essentially we can create mini searches which are used as tokens for a specific period of time. Here is the sample solution in simple XML -

<form>
    <label>Hobo_SearchSwapper</label>
    <fieldset autoRun="true" submitButton="false">
        <input type="dropdown" token="tkn_base_timerange_search" searchWhenChanged="true">
            <label>Select a timerange:</label>
            <default>Last 60 minutes</default>
            <choice value="index=main earliest=-60m | timechart span=2m  count by host">Last 60 minutes</choice>
            <choice value="index=main earliest=-4h | timechart span=15m count by host">Last 4 hours</choice>    
            <choice value="index=summary earliest=-14h | timechart span=30m count by host">Last 24 hours</choice>  
            <choice value="index=summary earliest=7d | timechart span=2h count by host">Last 7 days</choice>            
        </input>
    </fieldset>
    <row>
        <chart>
            <searchString>$tkn_base_timerange_search$</searchString>
            <option name="charting.chart">line</option>
        </chart>
    </row>
</form>

Hope this helps anyone interested in this use case!

Raghav2384
Motivator

Could you please provide more on search-switching requirement? There's a simple XML example in 6.2.x dashboard example app called link-switcher.

It allows you to toggle for multiple chart views in one panel.

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...