Splunk Search

Custom JSON Module from cookbook wont do real time searches

phoenixdigital
Builder

This is a follow on from my previous post
http://splunk-base.splunk.com/answers/79823/custom-json-module-wont-do-post-processing

I followed the example provided below to build a custom module that passes JSON data through in the 'Application Framework Cookbook'

http://dev.splunk.com/view/SP-CAAADXY

My new visualisations work perfectly when performing normal searches.

<module name="HiddenSearch"  layoutPanel="panel_row2_col1" autoRun="True" >
  <param name="search">sourcetype="mySourceType" sectionCode=g* | fields sectionCode, other1, other2, _time</param>
  <param name="earliest">-60min</param>

When I change the search to be

  <param name="earliest">rt-10m</param>
  <param name="latest">rt</param>

It doesn't render at all let alone update in real time.

My JS is here
http://pastebin.com/3hENrdg0

I have looked at the equivalent SimpleResultsTable and SingleValue which both handle realtime but I can't find what makes these actuallywork with realtime.

Tags (2)
1 Solution

araitz
Splunk Employee
Splunk Employee

Since real-time searches are never 'done', the implementation of the CustomResultsTable in the docs won't ever work because it implements the onJobDone() function (which is fired when a search job is done) rather than onJobProgress() (which is fired when a search job has progress - usually either new results or the search cursor moving).

We will get a better example up for real-time, but in the meantime, you can just implement the following in your module JS:

onJobProgress: function() { this.getResults(); }

On your controller, you will have to set entity_name to 'results_preview' so get the most current results snapshot from job.getResults()

Let me know if you get stuck, and sorry I didn't see this sooner.

View solution in original post

araitz
Splunk Employee
Splunk Employee

Since real-time searches are never 'done', the implementation of the CustomResultsTable in the docs won't ever work because it implements the onJobDone() function (which is fired when a search job is done) rather than onJobProgress() (which is fired when a search job has progress - usually either new results or the search cursor moving).

We will get a better example up for real-time, but in the meantime, you can just implement the following in your module JS:

onJobProgress: function() { this.getResults(); }

On your controller, you will have to set entity_name to 'results_preview' so get the most current results snapshot from job.getResults()

Let me know if you get stuck, and sorry I didn't see this sooner.

araitz
Splunk Employee
Splunk Employee

You would have to make 'entityName' a param that your module accepts. See SimpleResultsTable.conf for how that works.

0 Karma

phoenixdigital
Builder

Thanks for that it appears to have resolved the issue.

I already had onJobProcess but did not change the entity_name.

See my new version of the js here.
http://pastebin.com/wXrse4kg

Looking at SimpleResultsTable they use

this.entityName = this.getParam("entityName");

I tried that and it didn't work. Also SingleValue just uses 'results' and it appears to update realtime.

Thanks again regardless. I am sure it will all make sense the more I dig into these.

0 Karma

phoenixdigital
Builder

Further information to this.

I have put a singleValue vis and my own side by side both using realtime searches and then watched with firebug.

As you can see from this screenshot there are events but they just dont get rendered by my py script. However the SingleValue one works perfectly.

http://i.imgur.com/X2lsYGp.png

I even added some debugging in the server side python and it appears there is no data even through splunk is reporting 18 events.

Here is my server side python too
http://pastebin.com/SC3k86JU

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...