Splunk Search

Why doesn't my summary index dashboard appear to be updating to show the latest search performed?

IRHM73
Motivator

Hi,

I wonder whether someone may be able to help me please.

I have successfully created a 'Summary Index' report and a dashboard which displays the results.

The problem I have is that the dashboard doesn't appear to be updating to show the latest search performed.

e.g. My first search came back with approx 34K returned results and this was correctly reflected in the dashboard. I then ran another search for a different time period within the report which returned approx 100K but these figures weren't reflected in the dashboard despite refreshing it.

This is my dashboard query:

<query>index=summary search_name="Test" | Stats count by detail.input</query>

Could someone perhaps explain why this may be please because I'm at a loss.

Many thanks and kind regards

Chris

0 Karma
1 Solution

tom_frotscher
Builder

Hi,

do you use a report or an inline search on your dashboard? If you use a report, is the report scheduled? Because scheduled reports will show the same results until they are triggered again by the scheduler. If so, change your report to an inline search or edit the interval of the scheduled report.

Greetings

Tom

View solution in original post

0 Karma

tom_frotscher
Builder

Hi,

do you use a report or an inline search on your dashboard? If you use a report, is the report scheduled? Because scheduled reports will show the same results until they are triggered again by the scheduler. If so, change your report to an inline search or edit the interval of the scheduled report.

Greetings

Tom

0 Karma

IRHM73
Motivator

Hi, many thanks for taking the time to reply to my post. I'll take a look at the this and get back to you.

0 Karma

IRHM73
Motivator

Hi, I've looked into the situation again and although it was a scheduled report, I've now changed this and run the report immediately with the query: auditSource=nc detail.input=* | sitop detail.input but the dashboard doesn't up date.

My apologies for the stupid query, but I'm relatively new to using Splunk.

Many thanks and kind regards

Chris

0 Karma

tom_frotscher
Builder

Hi,

the report for the summary indexing needs to be scheduled. But you could check if the search in your dashboard is scheduled.

In general for summary indexing, you schedule a report that uses the si aggregation commands (e.g. sitop).

To retrieve the information of your summary, you use the exact same search, you only use the summary index and the standart aggregation methods (e.g. top).

So in your case make a scheduled report like this:

auditSource=nc detail.input=* | sitop detail.input

For you dashboard you use a inline search like this:

index=summary auditSource=nc detail.input=* | top detail.input

Greetings

Tom

0 Karma

IRHM73
Motivator

Hi thank you for your reply.

The issue which puzzles me, is that the Splunk documentation shows the following:

*Let's say you've been running the following search, with a time range of the past year:

eventtype=firewall | top src_ip

This search gives you the top source ips for the past year, but it takes forever to run because it scans across your entire index each time.
What you need to do is create a summary index that is composed of the top source IPs from the "firewall" event type. You can use the following search to build that summary index. You would schedule it to run on a daily basis, collecting the top src_ip values for only the previous 24 hours each time. The results of each daily search are added to an index named "summary":

eventtype=firewall | sitop src_ip*

then

*Now, let's say you save this search with the name "Summary - firewall top src_ip" (all saved summary-index-populating searches should have names that identify them as such). After your summary index is populated with results, search and report against that summary index using a search that specifies the summary index and the name of the search that you used to populate it. For example, this is the search you would use to get the top source_ips over the past year:

index=summary search_name="summary - firewall top src_ip" |top src_ip*

So I've written my queries as such.

Many thanks and kind regards

Chris

0 Karma

tom_frotscher
Builder

Hi,

your summary indexing search needs to be scheduled. But your search on the dashboard have to be an inline search.

This is how you should go:
For the summary indexing you use the sitop command. This puts the result of your search in a summary index. If you want to use the results, you reference the summary index and use the exact same search as before, with a single difference: You use the standart aggregation commands (e.g. top), instead of the si aggregation commands (e.g. sitop).

Greetings

Tom

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...