Splunk Search

How to pause a dashboard panel's real-time search?

daishih
Path Finder

I've built a dashboard panel that looks for blocked web traffic in real-time. Everything works great except I cannot pause/resume the search if I see something I want to investigate. Like I can using the default Splunk search bar but I don't see any options to add the pause/resume buttons to the dashboard searches. I've looked into using Sideview Utils but I was never able to get their modules working in my dashboards. I also read that advanced XML support is going away in Splunk so I am hesitant to use the Sideview Utils add-on in fear that it may not be supported in future version of Splunk. What are my options?

woodcock
Esteemed Legend

You can capture a screenshot with the push of a button.

0 Karma

daishih
Path Finder

Screenshots would be ineffective since you would be unable to drill down into the data. In addition, there are too many transactions occurring every second for these users that by the time the screen is captured the transaction would no longer be visible.

0 Karma

sideview
SplunkTrust
SplunkTrust

I don't know of any off the shelf control in Splunk Web Framework or in Simple XML that can do this. However in Sideview Utils you would use the SearchControls module. SearchControls can be configured to show any combination of different search controls, job controls, export, print etc. To strip it down to just the play/pause button, you would do this:

<module name="SearchControls" >
  <param name="sections">jobControls</param>
  <param name="jobControls">pause</param>
</module>

Sorry to hear you couldn't get Sideview Utils working before. The most common pitfall is a) not putting the hidden but required "SideviewUtils" module at the top of the view. However there are a couple other common mistakes.
a) Make sure you get the actual current Sideview Utils from the Sideview site (3.3.14), and not the incredibly old version on Splunkbase (1.3.5)
b) All of the docs and examples for the Sideview modules are in the app itself. Make sure you read at least the first 2 pages of documentation.

Deprecation worries.
Perfectly rational. Know that for the last 2 years, an incredible amount of work has been happening to build all new foundations for the Sideview UI, such that when Splunk's Advanced XML and Module Framework is all taken away, you'll still be able to run your dashboards. Right now this exists as an app called Canary. I believe that it will release well in advance of the Advanced XML's removal, and it is a goal that Canary support automated migration from the old Advanced XML format to our new view format.

If you have any questions let me know. Also sign up for the Sideview Utils mailing list - the product is definitely alive and well and is still quite frequently updated.

0 Karma

daishih
Path Finder

I'm still pretty new to Splunk and even newer to Sideview Utils. The version I installed was the latest from the Sideview site but I'm having trouble converting my existing dashboard xml into advanced xml so I can use the Sideview Utils search module instead of the stock splunk one. Is it hard to convert my existing dashboard built using the stock splunk dashboard to advanced xml? If that isn't a good way to do it how can I add input boxes and multi select boxes to an advanced xml dashboard? I read the documentation in the Sideview app but still don't fully understand how to build dashboard from scratch using Sideview utils. Are there any how to guides that walk a newbie through the process? I tried to modify one of the example views but was unable to find the search fields and inputs similar to when I build a dashboard using the default splunk method. Any assistance or advice is appreciated.

0 Karma

sideview
SplunkTrust
SplunkTrust

If you can send the dashboard xml to me (nick [at] sideviewapps.com) it usually just takes a couple minutes for me to convert them to Sideview XML, at least to get you a working version with 90% of what's there ported.

Many people who don't like XML (aka "most people") use the Sideview Editor instead. However you do have to pick up the gist from those first few docs pages, like the Search module always has to be downstream of any form element modules contributing tokens to it. And that you need the hidden SideviewUtils module to be there at the top of the view, etc..

I'm happy to convert one for you and it'll give you a good headstart.

0 Karma

daishih
Path Finder

Thank you for your reply, I've sent the dashboard I've been working on. Please let me know if there are any questions or concerns with it or if you did not receive it. Happy holidays!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...