Splunk Search

How to create a chart in XML where each row has a different search and obtain the completion time based on a drop-down time input?

alanxu
Communicator

Hello,

I am trying to create a chart where each row has a different search. I am trying to obtain the completion time (completion time is found in my log, it is not from Splunk) for each row. At the top of my dashboard, I have a drop-down where users can control the time, however, I don't want the latest completion time from the drop-down. I want the completion time for each day showing a number of days depending on the drop-down.

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

I have read your problem, and I think I have a glimmer of what you might be trying to do. If you could confirm or deny that my guess below is on the right track (not necessarily perfect, but close enough), that would be great.

You have some data on searches (not Splunk ones) that includes the search name and a completion time. You do not say how many of these, nor if any individual search can be run more than once in a day. For the purposes of this investigation, I'm not sure it matters a whole lot - this can work either way and be tweaked reasonably easily. So, your data looks something like this?

SearchName CompletionTime
MySearch1    16
MySearch2    93
...
MySearchN   39

You may have a lot more fields, but this is all you describe and all we need for a solution. Also, no preview in "comment" mode so sorry if it doesn't line up. Let's say this root search, just to get us started, is index=* sourcetype=MySearches. It doesn't really matter as long as you know what that search is. We'll write that root search in the below as "..." because, honestly, it's not really important for the rest of the solution.

You would like to take those, and get an average, sum or some other calculation of those search completion times per day. Well, that at its simplest isn't too hard, you would use timechart. Like...

... | timechart span=1d sum(CompletionTime) AS TotalCompletionTime by SearchName

Replace sum() with avg() for average instead of sum. Timechart reference here, and more calculations you can do here. That gives a table like so (again, made up numbers, I'm sure they're wrong).

_time   MySearch1   MySearch2   MySearchN
2015-08-18  72  19  43
2015-08-19  18  23  17

Once you have something like this, you can add it in a dashboard.

Now, on to the second problem, which is to have a drop-down controlling the time frame. It's very unclear what you are after here, so this is just a guess : you would like a drop down that lets them pick a time frame (like August 15th through August 18th) and then for each day in that time frame you want the search above to only show those days?

The time picker will work fine for an input, assuming you can teach users to pick date ranges out of it and not something like what you don't want. You could totally build an input that's a regular drop down with integers in it but it's a lot more work. So, let's assume date range is OK.

Edit your dashboard panels (Edit, Edit panels), then add an Input of type Time. Click the pencil to edit the newly created time picker: set a reasonable default time, name it time_tok (name doesn't matter but it should be sensible) and click the "Search on change" checkbox. Save that.

Now, for each search panel, click the search's magnifying glass and edit the search string. At the bottom of that in the Time Range Scope pick "Shared Time Picker (time_tok)" and save it.

After saving the panel (upper right, "Done") the updating should work too. Note that sometimes I have to refresh the browser at that point to get it to start automatically updating when I change the time picker.

There's some really great docs on this too, right here.

View solution in original post

Richfez
SplunkTrust
SplunkTrust

I have read your problem, and I think I have a glimmer of what you might be trying to do. If you could confirm or deny that my guess below is on the right track (not necessarily perfect, but close enough), that would be great.

You have some data on searches (not Splunk ones) that includes the search name and a completion time. You do not say how many of these, nor if any individual search can be run more than once in a day. For the purposes of this investigation, I'm not sure it matters a whole lot - this can work either way and be tweaked reasonably easily. So, your data looks something like this?

SearchName CompletionTime
MySearch1    16
MySearch2    93
...
MySearchN   39

You may have a lot more fields, but this is all you describe and all we need for a solution. Also, no preview in "comment" mode so sorry if it doesn't line up. Let's say this root search, just to get us started, is index=* sourcetype=MySearches. It doesn't really matter as long as you know what that search is. We'll write that root search in the below as "..." because, honestly, it's not really important for the rest of the solution.

You would like to take those, and get an average, sum or some other calculation of those search completion times per day. Well, that at its simplest isn't too hard, you would use timechart. Like...

... | timechart span=1d sum(CompletionTime) AS TotalCompletionTime by SearchName

Replace sum() with avg() for average instead of sum. Timechart reference here, and more calculations you can do here. That gives a table like so (again, made up numbers, I'm sure they're wrong).

_time   MySearch1   MySearch2   MySearchN
2015-08-18  72  19  43
2015-08-19  18  23  17

Once you have something like this, you can add it in a dashboard.

Now, on to the second problem, which is to have a drop-down controlling the time frame. It's very unclear what you are after here, so this is just a guess : you would like a drop down that lets them pick a time frame (like August 15th through August 18th) and then for each day in that time frame you want the search above to only show those days?

The time picker will work fine for an input, assuming you can teach users to pick date ranges out of it and not something like what you don't want. You could totally build an input that's a regular drop down with integers in it but it's a lot more work. So, let's assume date range is OK.

Edit your dashboard panels (Edit, Edit panels), then add an Input of type Time. Click the pencil to edit the newly created time picker: set a reasonable default time, name it time_tok (name doesn't matter but it should be sensible) and click the "Search on change" checkbox. Save that.

Now, for each search panel, click the search's magnifying glass and edit the search string. At the bottom of that in the Time Range Scope pick "Shared Time Picker (time_tok)" and save it.

After saving the panel (upper right, "Done") the updating should work too. Note that sometimes I have to refresh the browser at that point to get it to start automatically updating when I change the time picker.

There's some really great docs on this too, right here.

alanxu
Communicator

Wow Rick Thank you for the response. That was well done!

0 Karma

Richfez
SplunkTrust
SplunkTrust

I moved the "comment" to an answer so, if it's good enough, you can mark it as answered so other people can benefit from this as well. If it isn't, obviously, let us know what isn't working and we can probably sort it out, or create a new question that's focused just on your issue. This answer was more general in nature.

ppablo
Retired

I second this comment 🙂 @alanxu, I noticed you upvoted both the answer and comment by @rich7177, but to resolve the post, you need to actually click "Accept" directly below his answer if it fully answered your question. Otherwise, this post will float around without an accepted answer.

0 Karma

somesoni2
Revered Legend

Could you provide more details on what you're trying to accomplish? The dropdown is time range picker?

0 Karma

alanxu
Communicator

But I would like to use that time range picker to indicate the amount of days to show.

0 Karma

alanxu
Communicator

Yes it is.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...