Splunk Search

Can my dashboard pick from a set of predetermined timechart spans depending on the user's timerange length?

sideview
SplunkTrust
SplunkTrust

First, the answer here may be to simply not use span=1h at all, but rather to use bins=500 or some similar number in the timechart command, and let timechart command itself figure out what span best fits that total number of bins.

But, let's say I have a timechart and the user can pick last 3 hours, last 48 hours or last month. For last 3 hours I want span=30min, for last 48 hours I want span=4h, and for last month I want span=1d.

Is there a way I can make my dashboard itself pick the right argument to the timechart command based only on the timerange that the user picked?

Tags (3)

cheganbm
Explorer

When you say "(...), and let timechart command itself figure out what span best fits that total number of bins.(...)" is there a way to display the determined span value if we use the bins=1000 option?

Thanks.

0 Karma

sideview
SplunkTrust
SplunkTrust

I know several apps have come up with their own way of doing this, but it can be done using Sideview Utils with no custom javascript. Here is an example.

we basically dispatch a strange little search. It will run very quickly and match no events, but we'll use the search language to calculate our timerange duration, to also pick for us the right "span=5m" argument, and then we'll use the Sideview ResultsValueSetter module to pull the final span field down from the server and turn it into a $span$ token on the client.

After that we can just plug it into our Search module like any other $foo$ token.

<module name="TimeRangePicker">
  <param name="default">Last 24 hours</param>

  <module name="Search">
    <param name="search"><![CDATA[
      foo NOT foo | stats count | addinfo | table info_min_time info_max_time | eval duration=info_max_time - info_min_time | eval span=case( duration>604800,"span=1d", duration>86400,"span=4h", duration>1440,"span=1h", duration>3600,"span=30min", duration>1800,"span=1min")
    ]]></param>

    <module name="ResultsValueSetter">
      <param name="fields">span,duration</param>

      <module name="Search">
        <param name="search"><![CDATA[
          index=_internal | head 1000 | timechart count $span$
        ]]></param>

        <module name="HTML" layoutPanel="viewHeader">
          <param name="html"><![CDATA[
          did it work?   span = $span$<br>
          duration = $duration$
          ]]></param>
        </module>
        <module name="JSChart" />
      </module>
    </module>
  </module>
</module>

It's worth noting that ResultsValueSetter only ever gets field values from the first row of your search results, so sometimes you need to think a bit about how to get all your values all into one row.

http://sideviewapps.com/apps/sideview-utils

Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...