Splunk Search

How to specify different time ranges for each panel on a dashboard using only one base search?

marcosrios
Explorer

Hi,

I'm trying to use a base search for different panels. I have this, but it's retrieving the same results in both panels. How do I specify different time ranges for each panel using only one search?

<dashboard>
    <label>My dashboard</label>
    <description/>
    <search id="top_errors">
        <query>index=A foo=X</query>    
    </search>
    <row>
        <panel>
            <table>
                <title>Top Errors (Past 10 minutes)</title>
                <search base="top_errors">
                    <earliest>-10m</earliest>
                    <latest>now</latest>
                </search>
            </table>
        </panel>
    </row>
    <row>
        <panel>
            <table>
                <title>Top Errors (Past 4 hours)</title>
                <search base="top_errors">
                    <earliest>-4h</earliest>
                    <latest>now</latest>
                </search>
            </table>
        </panel>
    </row>
</dashboard>

Regards!

0 Karma

stephanefotso
Motivator

Hello! Add a query tag to reformat results from a base search in your panels: eg

           <table>
                 <title>Top Errors (Past 10 minutes)</title>
                 <search base="top_errors">
                     <query>
                            search log_level=error | stats sum(count)  as count
                     </query>
                     <earliest>-10m</earliest>
                     <latest>now</latest>
                 </search>
             </table>

For more informations, read Post-process examples here: http://docs.splunk.com/Documentation/Splunk/6.4.0/Viz/Savedsearches
thanks

SGF
0 Karma

marcosrios
Explorer

Understood, but how can I filter the base result for a specific time range?

Suppose that my base search gets results for last 4hs.
In my panels I want to use the same search, but in one of the panels specify last 4hs and in the other the last 10 min.
How may I achieve that?

0 Karma

stephanefotso
Motivator
  1. Run your base search and save it as a report. Let say top_errors
  2. Reference your report like this:





    Original report

    Top Errors (Past 10 minutes)

                <search ref="top_errors" />
                  <!-- Modify time bounds -->
                  <earliest>-10m</earliest>
                   <latest>now</latest>
              </chart>
            </panel>
            <panel>
              <title>Modified time bounds and visualization</title>
              <chart>
                <title>Top Errors (Past 4 hours)</title>
    
                <search ref="top_errors">
    
                  <!-- Modify time bounds -->
                     <earliest>-4h</earliest>
                     <latest>now</latest>
    
                </search>
    
                <!-- Change visualization -->
                <option name="charting.chart">column</option>
    
              </chart>
            </panel>
          </row>
        </dashboard>
    
SGF
0 Karma

marcosrios
Explorer

The only difference I have between the panels is the time range. I don't want to post process the search.
Another question, if I set a base search, both two panel will retrieve the results from the base search right? Or they will do the same search independently?

Regards!

0 Karma

stephanefotso
Motivator

Panels in the dashboard use a post-process search to further modify the results of a base search. The base search can be a global search for the dashboard or any other search within the dashboard. if you set a base search, both two panel will retrieve the results from the base search .

SGF
0 Karma

stephanefotso
Motivator

Reference a search from a report rom a report can help you: read it here: http://docs.splunk.com/Documentation/Splunk/6.4.0/Viz/Savedsearches

thanks

SGF
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...