Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Are there any Search-Switcher Modules for Simp...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am in need of a search-switcher for simple XML. I can't seem to find anything in respect to this out there. If this is not available, does anyone have any ideas on some custom work that could be done to implement this functionality?
Thanks in Advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good thing I'm pretty cool with a Splunk God 🙂
Here is a "hobo" solution, bro:
Not-so-brief Background -
We needed a solution where we could go back in time greater than yesterday to view various transactional-type statistics (please let me explain :0) ). What was happening was we had a summary index storing this transactional data. Once the scheduled job ran to pick up the latest data, it would be stored in the summary index.
There could be a few problems here - it could be possible that when the job ran the transaction wasn't exactly completed yet, or it could have gone in to some NOT success status where it would later need to be reprocessed. Although that transaction was reprocessed later on, we could not tell from our dashboard that it was - so some success rates would stay low or transactions considered in progress would just sit in a processing bucket with no end in sight 😞 We needed to create an additional summary that acted as a transactional reconcile-er!...? This way we could obtain the absolute latest status of our transactions and display more accurate stats. Then we sort of ran in to this issue where we were overloading our dis usage limit by running this search longer than -24h@h:
Search auto-finalized after disk usage limit (100MB) reached.
THE SOLUTION!
Essentially we can create mini searches which are used as tokens for a specific period of time. Here is the sample solution in simple XML -
<form>
<label>Hobo_SearchSwapper</label>
<fieldset autoRun="true" submitButton="false">
<input type="dropdown" token="tkn_base_timerange_search" searchWhenChanged="true">
<label>Select a timerange:</label>
<default>Last 60 minutes</default>
<choice value="index=main earliest=-60m | timechart span=2m count by host">Last 60 minutes</choice>
<choice value="index=main earliest=-4h | timechart span=15m count by host">Last 4 hours</choice>
<choice value="index=summary earliest=-14h | timechart span=30m count by host">Last 24 hours</choice>
<choice value="index=summary earliest=7d | timechart span=2h count by host">Last 7 days</choice>
</input>
</fieldset>
<row>
<chart>
<searchString>$tkn_base_timerange_search$</searchString>
<option name="charting.chart">line</option>
</chart>
</row>
</form>
Hope this helps anyone interested in this use case!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good thing I'm pretty cool with a Splunk God 🙂
Here is a "hobo" solution, bro:
Not-so-brief Background -
We needed a solution where we could go back in time greater than yesterday to view various transactional-type statistics (please let me explain :0) ). What was happening was we had a summary index storing this transactional data. Once the scheduled job ran to pick up the latest data, it would be stored in the summary index.
There could be a few problems here - it could be possible that when the job ran the transaction wasn't exactly completed yet, or it could have gone in to some NOT success status where it would later need to be reprocessed. Although that transaction was reprocessed later on, we could not tell from our dashboard that it was - so some success rates would stay low or transactions considered in progress would just sit in a processing bucket with no end in sight 😞 We needed to create an additional summary that acted as a transactional reconcile-er!...? This way we could obtain the absolute latest status of our transactions and display more accurate stats. Then we sort of ran in to this issue where we were overloading our dis usage limit by running this search longer than -24h@h:
Search auto-finalized after disk usage limit (100MB) reached.
THE SOLUTION!
Essentially we can create mini searches which are used as tokens for a specific period of time. Here is the sample solution in simple XML -
<form>
<label>Hobo_SearchSwapper</label>
<fieldset autoRun="true" submitButton="false">
<input type="dropdown" token="tkn_base_timerange_search" searchWhenChanged="true">
<label>Select a timerange:</label>
<default>Last 60 minutes</default>
<choice value="index=main earliest=-60m | timechart span=2m count by host">Last 60 minutes</choice>
<choice value="index=main earliest=-4h | timechart span=15m count by host">Last 4 hours</choice>
<choice value="index=summary earliest=-14h | timechart span=30m count by host">Last 24 hours</choice>
<choice value="index=summary earliest=7d | timechart span=2h count by host">Last 7 days</choice>
</input>
</fieldset>
<row>
<chart>
<searchString>$tkn_base_timerange_search$</searchString>
<option name="charting.chart">line</option>
</chart>
</row>
</form>
Hope this helps anyone interested in this use case!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you please provide more on search-switching requirement? There's a simple XML example in 6.2.x dashboard example app called link-switcher.
It allows you to toggle for multiple chart views in one panel.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
