Solved: Realtime single value panel and live gauges not up...

phoenixdigital · ‎05-12-2011

So I have created some single values and gauges which I hope to update with live data. However they dont seem to update and there is new data coming in every 15 seconds.

Single Value


<single>
                <searchString>host="jacona" SPLUNK:ChkInpReg regName=GensetRPM | head 1 | rangemap field=val low=0-30000 severe=30000-100000 | fields val, range</searchString>
                <title>Station State</title>
                <option name="field">val</option>
                <option name="classField">range</option>
                <earliestTime>rt</earliestTime>
                <latestTime>rt</latestTime>

</single>

The Gauge Here


        <chart>
                <title>Station Output</title>
                <searchTemplate>host="jacona" SPLUNK:ChkInpReg regName=GensetRPM  | gauge val 0 10000 25000 33000</searchTemplate>
                <option name="charting.chart">radialGauge</option>
                <option name="charting.chart.rangeValues">[0,30,70,100]</option>
                <option name="charting.gaugeColors">[0xBF3030,0xFFE800,0x84E900]</option>
                <earliestTime>rt</earliestTime>
                <latestTime>rt</latestTime>
        </chart>

Anyone have any thoughts?

hazekamp · ‎05-17-2011

I would recommend adjusting earliestTime values to create a real-time time window. This helps Splunk collect real-time events with drift between indextime and _time.

Try:

<earliestTime>rt-5m</earliestTime>
<latestTime>rt</latestTime>

Update:
Glad this worked. If you would like to always have the latest event consider adding the "head" command.

<your search> | head 1

View solution in original post

hazekamp · ‎05-17-2011

I would recommend adjusting earliestTime values to create a real-time time window. This helps Splunk collect real-time events with drift between indextime and _time.

Try:

<earliestTime>rt-5m</earliestTime>
<latestTime>rt</latestTime>

Update:
Glad this worked. If you would like to always have the latest event consider adding the "head" command.

<your search> | head 1

jflomenberg · ‎05-19-2011

In 4.2 the only way you can do this is by scheduling the underlying search to run all the time in the background (step 2 in the add to dashboard workflow for rt search)

phoenixdigital · ‎05-17-2011

Ignore that it is updating live now. Thanks heaps for your suggestion.

Another small question is there any way possible to have these 'realtime' gauges start with the most recent value in splunk instead of waiting for the first data point?

Also with 'realtime' charts can you have it show live data but start with the last 30 minutes?

phoenixdigital · ‎05-17-2011

Closer....

That displays the result thanks however the gauge never changes after that even though I know the data is incrementing every second and being logged every 15 seconds.

I watched it for about 10 minutes

phoenixdigital · ‎05-13-2011

Here is an example line

May 13 12:41:25 jacona power-engine[32525]: SPLUNK:ChkInpReg, regName=GensetRPM, reg=7, val=3668

Also just to mention these gauges and single values display fine when not attempting realtime.

jflomenberg · ‎05-13-2011

Can you provide a sample log line and show us where you are setting 'val'?

Realtime single value panel and live gauges not updating

Single Value

The Gauge Here

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms