Splunk Search

How to specify different time ranges for each panel on a dashboard using only one base search?

Explorer

Hi,

I'm trying to use a base search for different panels. I have this, but it's retrieving the same results in both panels. How do I specify different time ranges for each panel using only one search?

<dashboard>
    <label>My dashboard</label>
    <description/>
    <search id="top_errors">
        <query>index=A foo=X</query>    
    </search>
    <row>
        <panel>
            <table>
                <title>Top Errors (Past 10 minutes)</title>
                <search base="top_errors">
                    <earliest>-10m</earliest>
                    <latest>now</latest>
                </search>
            </table>
        </panel>
    </row>
    <row>
        <panel>
            <table>
                <title>Top Errors (Past 4 hours)</title>
                <search base="top_errors">
                    <earliest>-4h</earliest>
                    <latest>now</latest>
                </search>
            </table>
        </panel>
    </row>
</dashboard>

Regards!

0 Karma

Motivator

Hello! Add a query tag to reformat results from a base search in your panels: eg

           <table>
                 <title>Top Errors (Past 10 minutes)</title>
                 <search base="top_errors">
                     <query>
                            search log_level=error | stats sum(count)  as count
                     </query>
                     <earliest>-10m</earliest>
                     <latest>now</latest>
                 </search>
             </table>

For more informations, read Post-process examples here: http://docs.splunk.com/Documentation/Splunk/6.4.0/Viz/Savedsearches
thanks

0 Karma

Explorer

Understood, but how can I filter the base result for a specific time range?

Suppose that my base search gets results for last 4hs.
In my panels I want to use the same search, but in one of the panels specify last 4hs and in the other the last 10 min.
How may I achieve that?

0 Karma

Motivator
  1. Run your base search and save it as a report. Let say top_errors
  2. Reference your report like this:





    Original report

    Top Errors (Past 10 minutes)

                <search ref="top_errors" />
                  <!-- Modify time bounds -->
                  <earliest>-10m</earliest>
                   <latest>now</latest>
              </chart>
            </panel>
            <panel>
              <title>Modified time bounds and visualization</title>
              <chart>
                <title>Top Errors (Past 4 hours)</title>
    
                <search ref="top_errors">
    
                  <!-- Modify time bounds -->
                     <earliest>-4h</earliest>
                     <latest>now</latest>
    
                </search>
    
                <!-- Change visualization -->
                <option name="charting.chart">column</option>
    
              </chart>
            </panel>
          </row>
        </dashboard>
    
0 Karma

Explorer

The only difference I have between the panels is the time range. I don't want to post process the search.
Another question, if I set a base search, both two panel will retrieve the results from the base search right? Or they will do the same search independently?

Regards!

0 Karma

Motivator

Panels in the dashboard use a post-process search to further modify the results of a base search. The base search can be a global search for the dashboard or any other search within the dashboard. if you set a base search, both two panel will retrieve the results from the base search .

0 Karma

Motivator

Reference a search from a report rom a report can help you: read it here: http://docs.splunk.com/Documentation/Splunk/6.4.0/Viz/Savedsearches

thanks

0 Karma