Splunk Search

getting all the value's of the culum in a table in a variable


Hi i'm trying to to make a custom dashboard. This is wat i got so far. The dashboard is in html it is an image of the schema with all the servers for that application. the point is to get a quick overview to see where something is wrong. I can't use simple xml because the data has to be "real time". I use javascript to rerun the searches every minute. Now there is a server where the load time sometimes spikes and when it spikes to much things go wrong.
So to make the dashboard more complete i want to add a sparkline with the load time on this server. So you can see the load time of the last 30 min. or so
I know javascript code to make this happen but the thing i need is the variables to put in the sparkline. So I want all the variables of a column in a table. The table is drafted with a timespan search. like this

   search... | timechart span=5s count as values

The dashboard is in html so to extact the values i tried to use this:

  new SearchEventHandler({
                manegerid: "searchID1",
                event: "preview",
                conditions: [
                        attr: "any",
                        value: "*",
                        actions: [
                            {"type": "set", "token": "loadtime_1", "value": "$result[1].values$"},
                            {"type": "set", "token": "loadtime_2", "value": "$result[2].values$"},
                            {"type": "set", "token": "loadtime_3", "value": "$result[3].values$"},
                            {"type": "set", "token": "loadtime_n", "value": "$result[n].values$"}

This didn't work the tokes i used in html, like all other thing i did on this dashboard.
Has annyone a solution to this or an alternative method to achief the same goal

thanks in advance

0 Karma


You can do "real time" in simple HTML. (At least to the granularity you specified.) I have pasted the source for a panel I use, which uses a 10 minute refresh. If you want 1 minute refresh, use this in place of the line from my example:

  <option name="refresh.auto.interval">60</option>

So, create the search you need and save it to a dashboard, then edit the source and add the "refresh.auto.interval" line to the chart.


    <title>CPU Utilization by Host</title>
      <query>index=os sourcetype=cpu $hosts$ | timechart span=$span$ avg(pctCPUutil) by host</query>
    <option name="refresh.auto.interval">600</option>
    <option name="charting.legend.placement">bottom</option>
    ... snip ...
    <option name="charting.axisY.maximumNumber">100</option>
0 Karma

Esteemed Legend

This is very hard to read (understand); perhaps you have time to go back and fix some of the confusing phrasing and spelling (particularly in the title/subject). Why are you using html and not simple.xml?

0 Karma
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...