Splunk Search

Modifying timechart's span based on selected range

Communicator

Hi,

I want to have different span values depending on selected time range. For example, if the user selected up to 15 minutes, span should be 5s, 15 minutes to 4 hours - 10m, 4 hours to 24 hours - 1h and over that 1d.

I've been using the time hack macro I've seen in the web intelligence app to define index I want to search and this works nicely, however when I embed the timechart command into the macro it fails with a weird error: DISPATCHCOMMRPFAIL

The macro I used looks like this:

[mymacro(2)]
args = arg1, arg2
definition = [stats count | addinfo | eval range=info_max_time - info_min_time | eval search=case(range<=960, "mysearch | timechart span=5s sum(field)", range>960 AND range<=90000, "..... | timechart span=10m sum(field)")]

I also tried calling a macro from a macro but it didn't work.

Is there a way to get variable span in the timechart function, depending on the selected range?

Tags (2)
1 Solution

SplunkTrust
SplunkTrust

The main thing going on here is that you cannot output whole commands and sequences of pipe-separated commands from a subsearch. Subsearches can only yield out arguments to single commands.

Then the second thing going on, is that ordinarily there's a quite helpful message to tell you about this. And something here is preventing the normal helpful message from appearing here, and instead you're getting the "DISPATCHCOMMRPFAIL" error. I would guess it's because the lack of any other terms in the initial command confuses the search parser.

Anyway, you can run this similar but different search. Note the star and pipe in the outer expression. It's also an invalid search but you'll get a more informative error:

* | [stats count | addinfo | eval range=info_max_time - info_min_time | eval search=case(range<=960, "mysearch | timechart span=5s sum(field)", range>960 AND range<=90000, "..... | timechart span=10m sum(field)")]

Running that one will give you this error: Subsearches are only valid as arguments to commands.

So now that you know that, all you have to do is rework it so that your subsearch passes out arguments to timechart instead of the whole timechart command.

* | timechart [stats count | addinfo | eval range=info_max_time - info_min_time | eval search=case(range<=960, "span=5s count", range>960 AND range<=90000, "span=10m count", 1==1, " count")]

Works like a charm.

View solution in original post

SplunkTrust
SplunkTrust

The main thing going on here is that you cannot output whole commands and sequences of pipe-separated commands from a subsearch. Subsearches can only yield out arguments to single commands.

Then the second thing going on, is that ordinarily there's a quite helpful message to tell you about this. And something here is preventing the normal helpful message from appearing here, and instead you're getting the "DISPATCHCOMMRPFAIL" error. I would guess it's because the lack of any other terms in the initial command confuses the search parser.

Anyway, you can run this similar but different search. Note the star and pipe in the outer expression. It's also an invalid search but you'll get a more informative error:

* | [stats count | addinfo | eval range=info_max_time - info_min_time | eval search=case(range<=960, "mysearch | timechart span=5s sum(field)", range>960 AND range<=90000, "..... | timechart span=10m sum(field)")]

Running that one will give you this error: Subsearches are only valid as arguments to commands.

So now that you know that, all you have to do is rework it so that your subsearch passes out arguments to timechart instead of the whole timechart command.

* | timechart [stats count | addinfo | eval range=info_max_time - info_min_time | eval search=case(range<=960, "span=5s count", range>960 AND range<=90000, "span=10m count", 1==1, " count")]

Works like a charm.

View solution in original post

Communicator

Great, thanks for this!

I found another way in the mean time too - the Web intelligence application has a very nice custom module called HiddenSearchSwapper that allows you to setup different searches for different time ranges.

So you can just use this module, set time ranges and populate searches you want to be used depending on the selected time range.

0 Karma