Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you help me with a dashboard based on reports that are filtering by time?

patrycja
Explorer
‎01-09-2019 04:32 AM

Hello,

I created a simple dashboard with some panels taking data from the index. It was taking a long time to load, so I created a scheduled report and converted all panel queries to load data from that report using loadjob savedsearch="hackathon:search:BaseSearch" events=true command.

My idea was to create a report which takes logs from "All time" and then adds a time filter to the dashboard to allow a user to get what he wants.

My problem is that the time picker on my dashboard doesn't affect panels. It was working correctly with queries taking data from the index, but is not working with queries taking data from the report. I literally took the same panel and just switched the data source in the query. All other filters work. The problem is only with the time picker.

I was trying different things already to make it work:

  1. Adding
    < earliest>$input_time.earliest$< /earliest> < latest>$input_time.latest$< /latest> in the panel source ( input_time is my time picker's token). It doesn't change anything.
  2. Changing time range in the query setting
  3. Shared time picker - was working with panels before changing to report. Now it is not.
  4. Use time picker - this is not what I want.
  5. Tokens - can't set it up, every time when I set it and click apply, it magically returns to its previous setting when opened again.
  6. Global - doesn't work
  7. Adding time filtering in query | eval timestamp_epoch = strptime(Timestamp, "%Y-%m-%dT%H:%M:%S.%3N%z") | where timestamp_epoch>relative_time(now(),"$input_time.earliest$") And this partially works! But, I still have some issues with it. It only allows me to filter by the beginning of the time period using input_time.earliest. When I want to use input_time.latest ( where timestamp_epoch < relative_time(now(),"$input_time.latest$") ), the query return no results. There obviously is some data, so that the query should return something. The second issue is that I can use only time ranges like "24 hours ago", "7 days ago", "... ago". When I try to set the time, for example from Jan 1st to Jan 5th, it shows an error: alt text I think that Splunk doesn't know which "file" (or whatever structure it has) with data it should take, because one report is generating a new set of data every hour (report is scheduled to run once per hour).

Any idea how to make panels from report work with time picker?

Preview file
1 KB
0 Karma
Reply

bhavikbhalodia
Path Finder
‎01-11-2019 12:15 PM

Hi Patrycja,

You can create a datamodel which takes data from an index and reindex them. And after when you try to fetch data from datamodel at that time you can get a result more quickly. And you can apply the time range to search when you try to fetch data from datamodel.

Thanks,
Bhavik

Reply

gcusello
SplunkTrust
SplunkTrust
‎01-09-2019 04:53 AM

Hi patrycja,
I think that you should explore summaries: in other words: you have to run your report query with the same schedule you have, but at the end of the query use collect or tscollect commands to sore results in a summary index, then you can run your searches on this index and have a very performant search that you can filter using the fields you have.

Bye.
Giuseppe

Reply

patrycja
Explorer
‎01-09-2019 05:13 AM

Good idea, but right now I don't have permissions to create an index. Is there any other way?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-09-2019 05:31 AM

you don't need to create an index, you can use the default summary index (summary) if you use the collect command, or a dedicated namespace if you use the tscollect command.
Bye.
Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-31-2019 06:03 AM

Hi patrycja,
if you're satisfied by this answer, please accept and/or upvote it.

Bye, see next time.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...