Splunk Search

What is Best Practice for keeping my real time dashboard running indefinitely?

maverick
Splunk Employee
Splunk Employee

In Splunk GUI, after I create a real time report and put it on my dashboard, it eventually times out.

Wondering if there is a way to prevent that timeout from occurring and keep the dashboard up and running indefinitely (as long as I keep my browser open).

Labels (1)
1 Solution

sideview
SplunkTrust
SplunkTrust

What happens is that when the Splunk UI doesnt see someone there clicking the mouse every now and then, it'll stop talking to the backend.

This means the UI will stop updating and the sessions on splunkWeb and on splunkd will start timing out. (technically we do that precisely because we want them to start timing out)

Eventually the unattended real-time search will get cancelled automatically by splunkd (courtesy of the autocancel value provided by the view), and a while after that your sessions will expire. When you return to the UI you'll get kicked to the login screen.

As far as getting a real time dashboard running indefinitely.

1) If the UI for the dashboard is going to remain on a single screen somewhere 24x7, like in a NOC---

then the best practice I've come across, is to have a dedicated search head, where you actually turn off the POLLER_INACTIVITY_TIMEOUT entirely. Ideally I would strip that search head down so that it really only has that one view on it. Or otherwise ensure that people arent going to run other long running searches on it.

Check out the second part of this answer which is related (note the first suggestion is not related)

http://answers.splunk.com/questions/3273/real-time-views-are-hanging

2) If the UI for this real time search is NOT going to remain on a single screen, but you want any number of users to come to a particular dashboard and rather than dispatch 1 real-time search for each user, you want them all to share a single permanently-running real time search --

honestly we dont have this yet. We are working on this very problem for our next release believe me. 😃

There are some hacky and limited ways that are fun to explore but I cant say I recommend them and they are of course undocumented and essentially untested. At base all 3 methods involve making a dashboard that is basically hardwired to always display the permalink to one specific job. You then manually run a real-time search in the 'advanced charting view', and fish out its sid using 'get link to results'. From there the advanced reader can figure out the 3 distinct methods that would work from the following hints: a) put hardwired permalink directly in the nav xml b) postProcess magic, c) IframeInclude insanity

View solution in original post

jonathansaenz
Explorer

I think you missed the point of our gripe. Our gripe is that having a real-time dashboard on a kiosk where you don't want to have to log back into Splunk every few hours (because it's a kiosk and shouldn't have to have human input to it) without having to up the default time-out for users to something unrealistically high for everything, is not possible with Splunk as it stands.

frobinson_splun
Splunk Employee
Splunk Employee

Hi, @maverick and @jonathansaenz! I'm a tech writer here at Splunk and wanted to offer a couple of resources about currently available software:

http://docs.splunk.com/Documentation/Splunk/6.2.3/Report/Schedulereports#Schedule_a_report_via_Splun...

http://docs.splunk.com/Documentation/Splunk/6.2.3/AdvancedDev/RealTimeDashboard

http://docs.splunk.com/Splexicon:Realtimesearch

http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/Realtimeperformanceandlimitations

I hope this info helps you with the dashboard you're trying to configure.

Thanks! Feel free to reply with further questions or comments!
@frobinson

0 Karma

eperry
Engager

I don't see any more recent post on this, is there a way of just doing it for a dashboard? Seem silly to have a dashboard and disable timeouts for the whole server.

0 Karma

jonathansaenz
Explorer

It seems unreasonable that 5 years later, this still isn't a possibility with splunk

0 Karma

JB888
Engager

Seems another 7 years later and this is still an issue. 

We have a large NOC wall where we'd like to utilise several Splunk powered dashboards. Not using real time searches but set to 1 minute refresh intervals. 

 

Currently I can setup the dash but about an hour later, it stops refreshing, rendering the dashboard pointless. 

0 Karma

SanjayReddy
SplunkTrust
SplunkTrust

Hi  @JB888 

I’m a Community Moderator in the Splunk Community. Thanks for contributing as a member in the forum!

This question was posted  couple years ago and might not get the attention you need for your own question to be answered. I suggest you please post a brand new question so your issue can get more visibility. To increase your chances of getting help from the community,(Please feel free to link to this answer in your question, but try to describe the issue clearly yourself, in case there are any details that might matter that were different for you from this prior post.) follow these guidelinesin the Splunk Answers User Manual when creating your post.

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

+1

0 Karma

klee310
Communicator

Are there any news in this regard yet? I'm using 4.2 already...

0 Karma

sideview
SplunkTrust
SplunkTrust

What happens is that when the Splunk UI doesnt see someone there clicking the mouse every now and then, it'll stop talking to the backend.

This means the UI will stop updating and the sessions on splunkWeb and on splunkd will start timing out. (technically we do that precisely because we want them to start timing out)

Eventually the unattended real-time search will get cancelled automatically by splunkd (courtesy of the autocancel value provided by the view), and a while after that your sessions will expire. When you return to the UI you'll get kicked to the login screen.

As far as getting a real time dashboard running indefinitely.

1) If the UI for the dashboard is going to remain on a single screen somewhere 24x7, like in a NOC---

then the best practice I've come across, is to have a dedicated search head, where you actually turn off the POLLER_INACTIVITY_TIMEOUT entirely. Ideally I would strip that search head down so that it really only has that one view on it. Or otherwise ensure that people arent going to run other long running searches on it.

Check out the second part of this answer which is related (note the first suggestion is not related)

http://answers.splunk.com/questions/3273/real-time-views-are-hanging

2) If the UI for this real time search is NOT going to remain on a single screen, but you want any number of users to come to a particular dashboard and rather than dispatch 1 real-time search for each user, you want them all to share a single permanently-running real time search --

honestly we dont have this yet. We are working on this very problem for our next release believe me. 😃

There are some hacky and limited ways that are fun to explore but I cant say I recommend them and they are of course undocumented and essentially untested. At base all 3 methods involve making a dashboard that is basically hardwired to always display the permalink to one specific job. You then manually run a real-time search in the 'advanced charting view', and fish out its sid using 'get link to results'. From there the advanced reader can figure out the 3 distinct methods that would work from the following hints: a) put hardwired permalink directly in the nav xml b) postProcess magic, c) IframeInclude insanity

Get Updates on the Splunk Community!

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...

Introducing New Splunkbase Governance!

Splunk apps are essential for maximizing the value of your Splunk Experience. Whether you’re using the default ...

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...