Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Custom JSON Module from cookbook wont do real time searches

phoenixdigital
Builder
‎03-19-2013 12:07 AM

This is a follow on from my previous post
http://splunk-base.splunk.com/answers/79823/custom-json-module-wont-do-post-processing

I followed the example provided below to build a custom module that passes JSON data through in the 'Application Framework Cookbook'

http://dev.splunk.com/view/SP-CAAADXY

My new visualisations work perfectly when performing normal searches.

<module name="HiddenSearch"  layoutPanel="panel_row2_col1" autoRun="True" >
  <param name="search">sourcetype="mySourceType" sectionCode=g* | fields sectionCode, other1, other2, _time</param>
  <param name="earliest">-60min</param>

When I change the search to be

  <param name="earliest">rt-10m</param>
  <param name="latest">rt</param>

It doesn't render at all let alone update in real time.

My JS is here
http://pastebin.com/3hENrdg0

I have looked at the equivalent SimpleResultsTable and SingleValue which both handle realtime but I can't find what makes these actuallywork with realtime.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎03-20-2013 11:37 AM

Since real-time searches are never 'done', the implementation of the CustomResultsTable in the docs won't ever work because it implements the onJobDone() function (which is fired when a search job is done) rather than onJobProgress() (which is fired when a search job has progress - usually either new results or the search cursor moving).

We will get a better example up for real-time, but in the meantime, you can just implement the following in your module JS:

onJobProgress: function() { this.getResults(); }

On your controller, you will have to set entity_name to 'results_preview' so get the most current results snapshot from job.getResults()

Let me know if you get stuck, and sorry I didn't see this sooner.

View solution in original post

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎03-20-2013 11:37 AM

Since real-time searches are never 'done', the implementation of the CustomResultsTable in the docs won't ever work because it implements the onJobDone() function (which is fired when a search job is done) rather than onJobProgress() (which is fired when a search job has progress - usually either new results or the search cursor moving).

We will get a better example up for real-time, but in the meantime, you can just implement the following in your module JS:

onJobProgress: function() { this.getResults(); }

On your controller, you will have to set entity_name to 'results_preview' so get the most current results snapshot from job.getResults()

Let me know if you get stuck, and sorry I didn't see this sooner.

Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎03-21-2013 06:23 PM

You would have to make 'entityName' a param that your module accepts. See SimpleResultsTable.conf for how that works.

0 Karma
Reply
Solved! Jump to solution

phoenixdigital
Builder
‎03-20-2013 09:17 PM

Thanks for that it appears to have resolved the issue.

I already had onJobProcess but did not change the entity_name.

See my new version of the js here.
http://pastebin.com/wXrse4kg

Looking at SimpleResultsTable they use

this.entityName = this.getParam("entityName");

I tried that and it didn't work. Also SingleValue just uses 'results' and it appears to update realtime.

Thanks again regardless. I am sure it will all make sense the more I dig into these.

0 Karma
Reply
Solved! Jump to solution

phoenixdigital
Builder
‎03-19-2013 06:09 PM

Further information to this.

I have put a singleValue vis and my own side by side both using realtime searches and then watched with firebug.

As you can see from this screenshot there are events but they just dont get rendered by my py script. However the SingleValue one works perfectly.

http://i.imgur.com/X2lsYGp.png

I even added some debugging in the server side python and it appears there is no data even through splunk is reporting 18 events.

Here is my server side python too
http://pastebin.com/SC3k86JU

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...