Hello,
I have made a dashboard that searches for an event, displays the time-stamp of that event, and the time elapsed since that event (by calculating the difference in epoch times between the event and the current time). My problem is that the elapsed time stays static, when it needs to be calculated and displayed continuously in real time.
Can anyone offer any ideas or examples of how to achieve this?
Thanks!
Hi _dave_b,
what time period you used? a real time or static?
if you use a real time search your difference should be modified.
Otherwise, you should refresh your page.
Bye.
Giuseppe
You have two options.
Option 1
Convert dashboard to Real Time. For example following looks for 5 minute window. However, you should use Dashboards with Real Time searches only if absolutely required(like depicting real-time network utilization etc), otherwise you should rely on second option (near real-time)
<earliest>rt-5m</earliest>
<latest>rt</latest>
Option 2
Set dashboard or Panel Refresh based on one of following options whichever suits your needs and Splunk Enterprise version:
A) Refresh entire view on periodic basis (following is for every 5 minutes)
<dashboard refresh="300">
or
<form refresh="300">
B) Individual Panel auto-refresh
(i) Splunk Enterprise 6.5 onward. Create your Search Panel and edit the search to add Auto Refresh Delay or do the same via Simple XML for specific Search Panel add following code
<refresh>5m</refresh>
(ii) refresh.auto.interval to refresh individual panel (deprecated feature now, however you can use the same in case you are using Splunk Enterprise 6.1 or greater but not on Splunk 6.5)
<option name="refresh.auto.interval">300</option>
Addressing this part of the question:
My problem is that the elapsed time stays static, when it needs to be calculated and displayed continuously in real time
The panel will report static data for the instance when the search was run and it will stay as is till its refreshed again. You have the option to refresh the query if you are using the latest Splunk version wherein depending on the refresh interval the data will be automatically updated. Example on how to refresh the query every 5 minutes is below:
<search>
<query>
</query>
<earliest></earliest>
<latest></latest>
<sampleRatio></sampleRatio>
<refresh>5m</refresh>
</search>
Explore the other options of refresing data in your panels/dashboard which are mentioned here:
https://answers.splunk.com/answers/483783/define-refresh-interval-for-formdashboard.html#answer-4840...
Thanks for your answer! I was not aware of the refresh feature before, but now that I am, I am wondering about how it works. Thanks for pointing out the other options that help answer my further questions.
Hi _dave_b,
what time period you used? a real time or static?
if you use a real time search your difference should be modified.
Otherwise, you should refresh your page.
Bye.
Giuseppe
Thanks! Based off your suggestion, I looked up on how to refresh my dashboard panel, and it now automatically refreshes every 3 seconds or so. Ideally, it would refresh every 1 second, but 3 seconds is good enough for now.