how often do charts update? f5 ltm irule

mbassettjr · ‎11-02-2011

I have the splunk irule working and I'm seeing information in the dashboards.

However, the Top User Agents charts and Top Client IP charts are not getting updated, the top user agent has 30 hits, and the top client ip has 10 hits. But, when I run the search query i see the proper counts.

mbassettjr · ‎11-03-2011

The issue i have noticed is that the user agent charts for the F5 LTM irule logging do not seem to be correct.

I have found the search it is running:

stats sum(count) as count by user_agent| head 10 | sort – count

The issue I have with this is it is showing Blackberry user agents with the highest count. On further investigation, it appears that IE and Firefox and the major browsers do not use identical User agent strings, and this query is not able to 'wrap them up' to IE6 or Firefox 7 or whatever browser it is, since they are unique and differing.

Example:

            Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; MS-RTC LM 😎

32 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

33 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

34 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

35 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

36 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1; MS-RTC LM 😎

37 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

38 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

39 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; InfoPath.2)

40 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.0.04506.30)

It is interesting to note however, that if i look at the top user agent chart from the normal search pane, the results are different still. Using this query:
top limit=100 user_agent

provides a different result set than the previous query.

What is going on here?

rroberts · ‎11-03-2011

Well, it depends.

If you are using real time searches the dashboard should update on its own every 2 or 3 second.
If you are calling a scheduled saved search on the dashboard you will see cached results until the search runs again.
If you are embedding the search directly on the panel the search will run when the dashboard loads. With simple XML you can set refresh rate. See: http://docs.splunk.com/Documentation/Splunk/4.2.4/Developer/Step1CreateADashboard
Optionally set the refresh rate for the entire dashboard by adding a
refresh="<seconds>" attribute: <dashboard refresh="30">

how often do charts update? f5 ltm irule

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...