Splunk Search

refresh.auto.interval not working

johnraftery
Communicator

Hi, I use a drop-down menu to set the refresh.auto.interval for a table:

<panel>
  <title>Real-Time Stats</title>
  <input type="dropdown" token="refresh_interval" searchWhenChanged="true">
    <label>Panel Refresh Override</label>
    <choice value="5">5 seconds</choice>
    <choice value="60">1 Minute</choice>
    <choice value="300">5 Minutes</choice>
    <default>300</default>
  </input>
  <table>
    <search>
      <query>eventtype=mlc2 sourcetype=tps | stats avg(duration) as average, count(duration) as count, stdev(duration) as stdev, median(duration) as median, perc95(duration) as perc95, perc99.5(duration) as perc99.5, min(duration) as min, max(duration) as max, earliest(_time) as start, latest(_time) as stop by operationIdentity</query>
      <earliest>$selection.earliest$</earliest>
      <latest>$selection.latest$</latest>
    </search>
    <option name="refresh.auto.interval">$refresh_interval$</option>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="list.drilldown">full</option>
    <option name="list.wrap">1</option>
    <option name="maxLines">5</option>
    <option name="raw.drilldown">full</option>
    <option name="table.drilldown">all</option>
    <option name="table.wrap">1</option>
    <option name="type">list</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>

But it seems like the value is not taken into account; when viewing the table in real-time mode (eg 1 hour window), the table continuously refreshes, so it is quite hard to read.

Thanks,
John Raftery

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Hi John,

I have what sounds like the same issue. I have a control panel that has the pan/zoom support, which passes onto other panels. Great to non RT dashboards, but RT has the continual refresh. I was trying to solve this with auto-sensing RT or non RT dashboards, so that in RT I could use the time picker time, rather than the zoom time, which never changes for RT. See https://answers.splunk.com/answers/379538/conditionally-set-search-time-range-depending-on-r.html

If you've found a solution can you share.
Cheers
Antony

0 Karma

johnraftery
Communicator

Hi Antony, thanks for this, it sounds like we have the same problem. I haven't found any solution that gives me what I'm after. Have you?

0 Karma

chimell
Motivator

hi johnraftery
you can use manually thsi option :
- Go in the bottom of your panel and click on :
- alt text

0 Karma

gyslainlatsa
Motivator

No johnraftery,

remove

<option name="refresh.auto.interval">10</option>

and write something like this

<dashboard refresh="10">
<panel>
    <table>
      <search>
        <query>|stats count |eval Time=now()|convert ctime(Time) as Time</query>
        <earliest>rt-1h</earliest>
        <latest>rtnow</latest>
      </search>
      <option name="wrap">true</option>
    </table>
 </panel>
 </dashboard>  

johnraftery
Communicator

I'm getting an XML error for this:

XML Syntax Error: Row, on line=381, contains unknown node=dashboard on line=382.

Are you allowed have a dashboard tag inside a row tag? This is what I have:

< form script="table_cell_highlighting.js" stylesheet="table_cell_highlighting.css,single_decorations.css">
...
< row>
< dashboard refresh="30">
< panel>
...

0 Karma

johnraftery
Communicator

Are you suggesting I use < dashboard> instead of < form>?

0 Karma

gyslainlatsa
Motivator

no, try put the refresh="30" in your < form> like this:

< form refresh="30">

or following this link:

https://answers.splunk.com/answers/24238/dashboard-automatic-refresh.html

0 Karma

johnraftery
Communicator

Ah, I see. This isn't what I'm looking for - I don't want the whole dashboard to refresh periodically, I only want one panel to refresh.

0 Karma

gyslainlatsa
Motivator

no, you can not use < dashboard refresh="30"> in the < form > tag

0 Karma

johnraftery
Communicator

Ok, so what do you mean then?

0 Karma

gyslainlatsa
Motivator

hi johnraftery,

You're using the Simplified XML, for example put the refresh="30" inside your tag, like this:

<dashboard refresh="30">
------
-------
-------

 </dashboard>

for more information, try following this link:

https://answers.splunk.com/answers/24238/dashboard-automatic-refresh.html

0 Karma

johnraftery
Communicator

Where should the dashboard tag go? Do you mean something like this?

 <panel>
   <dashboard refresh="30">
   <table>
     <search>
       <query>|stats count |eval Time=now()|convert ctime(Time) as Time</query>
       <earliest>rt-1h</earliest>
       <latest>rtnow</latest>
     </search>
     <option name="wrap">true</option>
     <option name="refresh.auto.interval">10</option>
   </table>
   </dashboard>
 </panel>
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Token might not work in options though it works in Title. You might need to give an appropriate seconds value directly

Happy Splunking!
0 Karma

johnraftery
Communicator

Thanks, I already tried hardcoding a value like 60, but it didn't seem to take effect.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Strange, below works fine for me

<form>
  <label>TEST</label>
  <row>
    <panel>
      <table>
        <search>
          <query>|stats count |eval Time=now()|convert ctime(Time) as Time</query>
          <earliest>rt-1h</earliest>
          <latest>rtnow</latest>
        </search>
        <option name="wrap">true</option>
        <option name="refresh.auto.interval">10</option>
      </table>
    </panel>
  </row>
</form>

Do you have dashboard refresh enabled ie ; entire dashboard?

Happy Splunking!
0 Karma

johnraftery
Communicator

Good question. How would I enable dashboard refresh?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Do you mind pasting the complete xml after masking your sensitive data ?

Happy Splunking!
0 Karma

johnraftery
Communicator

Sure

<form script="table_cell_highlighting.js" stylesheet="table_cell_highlighting.css,single_decorations.css">
  <label>CONSULTANT_VIEW_LIVE_DEV</label>
  <description>A high level view for consultants</description>
  <fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="host_token" searchWhenChanged="true">
      <label>Data Source:</label>
      <search>
        <query>| metadata type=hosts index=mlc_demo and index=mlc_live | fields host</query>
        <earliest>0</earliest>
      </search>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <default>SPLUNK_DEMO</default>
      <prefix>host=</prefix>
    </input>
    <input type="time" token="time_token" searchWhenChanged="true">
      <label>Reports Time Picker</label>
      <default>
        <earliest>-4d@d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="checkbox" token="TPS_ON_OFF" searchWhenChanged="true">
      <choice value="ON">ON</choice>
      <default>ON</default>
    </input>
  </fieldset>
  <row>
    <panel depends="$TPS_ON_OFF$">
      <title>TPS + LTS</title>
      <input type="checkbox" token="CPU_OVERLAY" searchWhenChanged="true">
        <choice value=" OR 1=1">ON</choice>
        <default>"where 1=2"</default>
      </input>
      <input type="checkbox" token="MLC_GC_OVERLAY" searchWhenChanged="true">
        <choice value=" OR 1=1">ON</choice>
        <default>"where 1=2"</default>
      </input>
      <chart>
        <search>
          <query>eventtype=mlc2 sourcetype=tps $host_token$ | where match(operationIdentity, "^[A-Z]") OR operationIdentity="buildCompilation" OR operationIdentity="commitXA" | eval value = endTime - startTime | rename operationIdentity as series | table _time series value | append [ search eventtype=mlc2 sourcetype=lts_timings $host_token$ | eval end_timestamp=strptime(end,"%Y-%m-%d %H:%M:%S") | eval end_event=mvappend("",end_timestamp.",".series."_STOP,".value,"") | eval series = series."_START" | mvexpand end_event | rex field=end_event "(?&lt;_time&gt;[^,]+),(?&lt;series&gt;[^,]+),(?&lt;value&gt;[^,]+)" | table _time series value ] | append [ search eventtype=mlc2 sourcetype=vmstat-linux $host_token$ | $CPU_OVERLAY$ | rex field=source "/(?&lt;source_short&gt;[^/]+).{24}$" | rename cpu_used as value | table _time series value ] | append [ search eventtype=mlc2 sourcetype=sun_jvm $host_token$ service_name=*mlc*.gc.log | $MLC_GC_OVERLAY$ | eval series = "CMS" | eval value=if(isnotnull(cms_reset),1,null) | table _time series value ] | append [ search eventtype=mlc2 sourcetype=sun_jvm $host_token$ service_name=*mlc*.gc.log | $MLC_GC_OVERLAY$ | eval series = "FULL GC" | eval value=if(isnotnull(full_gc),1,null) | table _time series value ] | eventstats max(value) as top | eval value=if((series="CMS" OR series="FULL GC") AND value=1,top,value) | timechart bins=2000 max(value) by series limit=0</query>
          <earliest>$time_token.earliest$</earliest>
          <latest>$time_token.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">1</option>
        <option name="charting.axisY2.scale">linear</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisStart</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.data.count">20000</option>
        <option name="charting.chart.resultTruncationLimit">20000</option>
        <option name="charting.axisTitleX.text">Time</option>
        <option name="charting.axisTitleY.text">TPS Time (ms)</option>
        <option name="charting.axisTitleY2.text">CPU usage (%)</option>
        <option name="charting.axisY2.minimumNumber">0</option>
        <option name="charting.axisY2.maximumNumber">100</option>
        <option name="height">590</option>
        <selection>
          <set token="selection.earliest">$start$</set>
          <set token="selection.latest">$end$</set>
        </selection>
      </chart>
    </panel>
  </row>
  <row>
    <panel refresh="30" depends="$TPS_ON_OFF$">
      <title>MLC Real-Time Stats (for the time-period selected in the chart above)</title>
      <input type="dropdown" token="refresh_interval" searchWhenChanged="true">
        <label>Panel Refresh Override</label>
        <choice value="5">5 seconds</choice>
        <choice value="60">1 Minute</choice>
        <choice value="300">5 Minutes</choice>
        <default>300</default>
      </input>
      <table>
        <search>
          <query>eventtype=mlc2 sourcetype=tps $host_token$ | where match(operationIdentity, "^[A-Z]") OR operationIdentity="buildCompilation" OR operationIdentity="commitXA" | eval duration = endTime - startTime | stats avg(duration) as average, count(duration) as count, stdev(duration) as stdev, median(duration) as median, perc95(duration) as perc95, perc99.5(duration) as perc99.5, min(duration) as min, max(duration) as max,earliest(_time) as start, latest(_time) as stop by operationIdentity  | eval average = round(average, 1) | eval time_slice_per_min = (stop-start)/60 | eval Throughput_per_minute= count/time_slice_per_min | eval stdev = round(stdev, 1) | rename operationIdentity as operation_identity | sort operationIdentity | fields - stop - start - time_slice_per_min</query>
          <earliest>$selection.earliest$</earliest>
          <latest>$selection.latest$</latest>
        </search>
        <option name="refresh.auto.interval">60</option>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
        <drilldown>
          <set token="dummy_token">0</set>
        </drilldown>
      </table>
    </panel>
  </row>
</form>
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Please remove refresh=30 from though it's not affecting anything. It doesn't do anything as well. I have tried your last panel by changing the search to mine and it's working as expected.
Can you just open this dashboard in a new browser window and try? Try creating a test dashboard with the refreshing panel only and try as well.

Happy Splunking!
0 Karma

johnraftery
Communicator

Thanks, I've given that a go, no luck unfortunately. In the past I've found that sometimes having an append in the search can affect the real-time behaviour. Do you think that might be the case here?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...