Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About sansay
sansay
Contributor
Member since:
07-28-2011
06-05-2020
Community Statistics
| Posts | 104 |
| Solutions | 7 |
| Karma Given | 75 |
| Karma Received | 47 |
| Member Since | 07-28-2011 |
Activity Feed
- Got Karma for Re: Set Default App by Role?. 08-05-2025 08:19 AM
- Got Karma for Re: Why am I getting error "Events may not be returned in sub-second order due to search memory limits configured in limits.conf:[search]:max_rawsize_perchunk"?. 06-21-2020 05:58 PM
- Karma How do I add a check box to change my search? for salpaysog. 06-05-2020 12:50 AM
- Karma Re: Data masking for skoelpin. 06-05-2020 12:48 AM
- Karma Re: E-mail alerts stopped working since 6.6 upgrade for some users for mafisher_splunk. 06-05-2020 12:48 AM
- Karma Re: After upgrading from Splunk DB Connect 1 to version 2, I set up a dbinput, but why does the status change from Enabled to Disabled? for varad_joshi. 06-05-2020 12:48 AM
- Karma Summary Index Backfill in Search Head Cluster for tkwaller. 06-05-2020 12:48 AM
- Karma Re: How often/quickly does a Splunk universal forwarder read a file? for dshakespeare_sp. 06-05-2020 12:48 AM
- Got Karma for Re: Can you remove a unit of measurement from a field value?. 06-05-2020 12:48 AM
- Got Karma for Re: Can you remove a unit of measurement from a field value?. 06-05-2020 12:48 AM
- Got Karma for Re: Form line break in description. 06-05-2020 12:48 AM
- Got Karma for overriding default host field extraction won't work. 06-05-2020 12:48 AM
- Karma Re: Sideview Utils: customBehavior to show/hide checkbox not working for sideview. 06-05-2020 12:47 AM
- Karma How to view percentages in column chart instead of total values without calculating percentages in search? for HeinzWaescher. 06-05-2020 12:47 AM
- Karma Re: pulldown selection reset to default upon dashboard refresh for sideview. 06-05-2020 12:47 AM
- Karma Re: Sideview: How to change checkboxpulldown back to All Selected with a button without reloading the rest of the page? for sideview. 06-05-2020 12:47 AM
- Karma Sideview: How to change checkboxpulldown back to All Selected with a button without reloading the rest of the page? for snoobzilla. 06-05-2020 12:47 AM
- Karma Throwing errors in splunk dashboards for nibinabr. 06-05-2020 12:47 AM
- Karma Re: How to fully display y-axis labels for my bar chart? for mwiew. 06-05-2020 12:47 AM
- Karma Re: Why am I getting "Socket error communicating with splunkd" when I try to reload my deployment server to push out new configurations? for mookiie2005. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 4 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 2 |
10-02-2014
10:51 AM
We just got updated from version 5.0.8, to 6.1.3, and I am not happy at all with the new behavior of the menu navigation.
In version 5, when mousing over a menu item which points to a submenu, the submenu would appear, let you navigate to the next submenu while keeping the previous one open. There was no need to click, and it allowed you to keep track of the path you followed. You could also quickly take a screenshot to send to coworkers to let them know where the new dashboard was. In version 6, you have to click on a menu item which points to a submenu. This shifts the box to the submenu, in such a way that you never can see where you came from. And you have to click every time you want to navigate all the submenus.
Is it possible to change this behavior back to that of version 5?
I recently came across this question:
http://answers.splunk.com/answers/140375/cascading-menus-for-nested-navigation.html
which made me realize that the proper term to describe the menu I want is "cascading menu".
Well, I took a look at the doc but didn't see anything having to do with cascading menus. It does mention the nesting, and the limitation of 2 levels. The strange thing is that I have a menu nested at 3 levels and it works. But it's not cascading. So my question remains.
... View more
09-26-2014
04:40 PM
I thought I had read the help regarding this a while back. But I just took a look and there it was:
auto_summarize.max_time =
* The maximum amount of time that the summary search is allowed to run. Note that this is an approximate time
* and the summarize search will be stopped at clean bucket boundaries.
* Defaults to: 3600
Perhaps it was added later.
Anyway, I will test this and confirm.
... View more
09-26-2014
03:54 PM
1 Karma
In the answer I provided for this question:
http://answers.splunk.com/answers/138860/splunk-acceleration-summary-stuck-at-33.html#answer-170698
I explained that I discovered that, in my system, the acceleration process which builds a summary in the indexers, has a limited run time of 10 minutes. This was probably done because the default acceleration schedule, by design, is set to every 10 minutes.
However since we can change the schedule, and I have some queries which take too long, I would like to change the schedule so that the process runs less frequently but gets the time to complete.
The argument to change the acceleration schedule is: auto_summarize.cron_schedule.
You can add it to the savedSearch.conf in the stanza for the relevant search and set it equal to a cron schedule, like this:
auto_summarize.cron_schedule = 3,13,23,33,43,53 * * * *
But I do not know how to specify the maximum runtime of the acceleration. Does anyone know this?
... View more
09-25-2014
11:58 PM
2 Karma
Splunk acceleration never completes because it hits a search time limit. In my case I determined that it was set to 600 seconds or 10 minutes. I have been fighting this recently. How did I come to this conclusion? I had a search which collects millions of records and must add up and convert the amounts based on a currency lookup table. I wanted to accelerate this search over a 1 month period. The acceleration got stuck at 44%. By default splunk has the acceleration schedule set to happen every 10 minutes. You can change it by adding this in the savedSearch.conf:
auto_summarize.cron_schedule = 3,13,23,33,43,53 * * * *
In this particular example, I was shifting the schedule so that it does not happen at the 0, 10, 20,30,40,50 minutes because too many accelerations triggered huge load spikes.
Anyway, I changed the schedule so that the acceleration process happens only once an hour. Then I watched it. At the specified time the updating message appeared, and exactly 10 minutes later, on the dot, it showed 44%. Then next message was "pending" which is what happens when the acceleration process has nothing to do. And the same thing happened again at the scheduled time.
So, my recommendation is: if you can, use a smaller time range, or use a different technique, such as building a dataset in the summary index with a query that runs every 5 minutes, and then use your regular search to get the data to show.
... View more
08-19-2014
04:12 PM
1 Karma
Great suggestions which I will keep in mind next time I see this issue.
As I needed this to work right away I searched and found another work around which turned out to be an even better design.
I made the HiddenSearch the base search, and used postProcess in both pulldown and checkboxPulldown to run subsearches so as to set their options. This way I didn't need another search.
Once again thank you so much for your help.
... View more
08-19-2014
02:29 PM
1 Karma
Thank you Nick.
Being too busy, I forgot to post this: I found a way around this issue. I added a customBehavior method to the checkboxPulldown in which I called:
this.clearDynamicOptions();
This has worked perfectly. Every time the selection changed all the options are selected.
I now wonder if there will be some side effect with your fix.
... View more
08-12-2014
05:27 PM
I have a couple of searches which feed a pulldown, and a checkboxPulldown.
The problem is that the timerange (only 2 minutes) of the search that feeds the checkboxPulldown is immediately applied to TimeRangePicker after the checkboxPulldown gets its data.
If I use a HiddenSearch, then the timerange does not get assigned to TimeRangePicker. The problem is that I need the Search to not be hidden as it gets $foo$ variables from upstream.
How can I prevent this?
... View more
08-12-2014
04:35 PM
How interesting!
I am just struggling with the same issue.
I have 3 pulldown controls preceding the CheckboxPulldown. Everytime I change a selection in any of the pulldowns, the options change in the CheckboxPulldown, but if the elements didn't exist previously they are not selected. Which sometimes results in a search failure because the controls has nothing selected. So I would prefer that, anytime there is a change of options, they are all selected.
... View more
08-07-2014
09:49 AM
I had to work on this issue. My experiments showed that there are 2 rules that must be respected for this to work.
1. The panel to which the object belongs must be in the declaration of the formatting statement.
2. the html module must be placed after the object declaration.
Example code:
<![CDATA[
<br>
.viewHeader {<br>
background-color:#82CDE6;<br>
}<br>
.viewHeader .TimeRangePicker {<br>
float:left;<br>
}<br>
]]>
... View more
08-06-2014
10:17 AM
1 Karma
Excellent! I feel a bit stupid for the dumb copy/paste mistake. At the same time I learn a lot from you.
I may be the sansay, but you sure are the sensei.
Thank you so much!!
... View more
08-05-2014
04:37 PM
1 Karma
I wrote the code below after looking at many examples, and reviewing the modules documentation.
And yet, I can't get it to work. The checkbox remains visible regardless of the time range I select. It should only be visible when the user selects "Last 60 minutes" in the TimeRangePicker.
<view isVisible="true" objectMode="SimpleDashboard" onunloadCancelJobs="true" template="dashboard.html">
Line Resources Overview
False
splunk.search.job
True
1
warn
Last 4 hours
True
<module name="Checkbox" layoutPanel="viewHeader">
<param name="label">"5m auto-refresh"</param>
<param name="customBehavior">LRO_ShowAutoRefreshCheckBox</param>
<param name="float">left</param>
</module>
<module name="HTML">
<param name="html">For 5 mins auto-refresh select the "Last 60 minutes" time range.</param>
</module>
<module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
<param name="search">
index=os * | rex "lvn-(?<Line>[a-z][0-9])-" | dedup Line | table Line | sort Line</param>
<module name="JobProgressIndicator"/>
<module name="SimpleResultsTable"/>
</module>
</module><!-- TimeRangePicker -->
OK the code looks partly marked as code partly as regular comments. But it's all there.
And here is the code I added in application.js:
Sideview.utils.declareCustomBehavior("LRO_ShowAutoRefreshCheckBox", function(checkBoxModule)
{
var methodReference = checkBoxModule.onContextChange.bind(checkBoxModule);
checkBoxModule.onContextChange = function()
{
var retVal = methodReference();
if (this.getContext().get("search").getTimeRange().getEarliestTimeTerms()=="-60m@m" && this.getContext().get("search").getTimeRange().getEarliestTimeTerms()=="now")
{
this.show();
} else
{
this.hide();
}
return retVal;
}
});
And yes, I rebooted splunkweb to make sure application.js has been read by splunk after my change.
EDIT: I just found 2 errors, thanks to google developper tools.
1- there was a brace missing in my javascript.
2- I needed to get the context from "this".
The js code above reflects those fixes. But it still doesn't work right. Now the checkbox goes away as soon as I change the time range and never comes back regardless of the setting.
... View more
07-30-2014
04:57 PM
Now that I learnt how to use Sideview I can give you the answer. In my dashboard I added a pulldown module named "refreshRate". The value of param refreshEver in module AutoRefresh is set to $refreshRate$. This works perfectly.
Here is the relevant code:
<module name="Pulldown" layoutPanel="viewHeader">
<param name="name">refreshRate</param>
<param name="label">Refresh Rate</param>
<param name="float">left</param>
<param name="staticOptions">
<param name="label">5 m</param>
<param name="value">300</param>
</list>
<list>
<param name="label">1 m</param>
<param name="value">60</param>
</list>
<list>
<param name="label">30 s</param>
<param name="value">30</param>
</list>
</param>
<module name="AutoRefresh" layoutPanel="panel_row1_col1" >
<param name="refreshEvery">$refreshRate$</param>
<module name="Search" group="Load Average (1m)" >
<param name="search">`LRO_load_average($selectedLine$,$selectedType$)`</param>
... View more
07-30-2014
02:48 PM
Alright, we have now the latest version, 3.2.8, so I changed the code to add the AutoRefresh module and put back the ValueSetter module, and all works as expected.
Nick, I thank you very much for all your help, this includes all the little suggestions for cleaner code.
... View more
07-28-2014
02:17 PM
I tried your version, but it didn't work. The settings reverted to the default values just as in my version.
Also, when I first saved your version I got 3 errors such as:
Unknown parameter 'arg.charting.chart.nullValueMode' is defined for module ValueSetter. Make sure the parameter is specified in ValueSetter.conf.
So, I had to revert the code to using the HiddentChartFormatter module. Otherwise everything else was just the code you posted. I tried with both Chrome and Firefox.
Unless you can think of something else, I will just wait until we get SideView updated and use AutoRefresh module
... View more
07-25-2014
01:49 PM
Hello Nick,
Yesterday I added the code I used with your second suggestion. Could you please take a look and let me know if you can see anything wrong with it?
... View more
07-23-2014
01:49 PM
Thank you very much for the prompt answer.
Unfortunately I couldn't try the AutoRefresh module since that was added in version 3.0. However I got the right people to agree to update Sideview on Monday.
In the meantime I decided to try the URLLoader approach, and I am sorry to report that it didn't work: the PullDown value reset, and in fact the URL reverts to the original call. I tried this with both Firefox and Chrome.
I will add the code I tried in my question.
... View more
07-23-2014
09:47 AM
2 Karma
I just created a dashboard using sideview pulldown.
Seems very nice to use, but, I was very disappointed to discover that upon auto-refresh my selections were reset to the default values. The version we have here is 2.4.10. and no, sadly enough, it's not going to be easy to get it updated.
Anyone know how to prevent this?
Here is the code I tried after reading Nick's answer.
Keep in mind that this is a test version with only one chart.
The complete version shows 9 charts.
<view autoCancelInterval="90" isVisible="true" objectMode="SimpleDashboard" onunloadCancelJobs="true" refresh="90" template="dashboard.html">
<label>Line Resources Overview</label>
<module name="SideviewUtils" layoutPanel="appHeader" />
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="TitleBar" layoutPanel="viewHeader">
<param name="showActionsMenu">False</param>
</module>
<module name="Message" layoutPanel="navigationHeader">
<param name="filter">splunk.search.job</param>
<param name="clearOnJobDispatch">True</param>
<param name="maxSize">1</param>
<param name="level">warn</param>
</module>
<module name="URLLoader" layoutPanel="appHeader" autoRun="True">
<param name="keepURLUpdated" >True</param>
<module name="Pulldown" layoutPanel="viewHeader">
<param name="name">selectedLine</param>
<param name="label">Line</param>
<param name="float">left</param>
<param name="staticOptions">
<list>
<param name="label">E1</param>
<param name="value">e1</param>
</list>
<list>
<param name="label">D1</param>
<param name="value">d1</param>
</list>
<list>
<param name="label">D2</param>
<param name="value">d2</param>
</list>
</param>
<module name="Pulldown" layoutPanel="viewHeader">
<param name="name">selectedType</param>
<param name="label">Type</param>
<param name="float">left</param>
<param name="staticOptions">
<list>
<param name="label">Apache</param>
<param name="value">w</param>
</list>
<list>
<param name="label">Tomcat</param>
<param name="value">t</param>
</list>
<list>
<param name="label">SysEng</param>
<param name="value">sys</param>
</list>
</param>
<module name="Search" layoutPanel="panel_row1_col1" group="Load Average (1m)" autoRun="True">
<param name="search">' LRO_load_average($selectedLine$,$selectedType$)' </param>
<module name="HiddenFieldPicker">
<param name="strictMode">True</param>
<module name="HiddenChartFormatter">
<param name="charting.chart">line</param>
<param name="charting.legend.placement">right</param>
<param name="charting.axisTitleX">none</param>
<param name="charting.axisTitleY">none</param>
<param name="charting.chart.nullValueMode">connect</param>
<param name="charting.layout.splitSeries">false</param>
<module name="FlashChart">
<param name="width">100%</param>
<!--<param name="height">260px</param>-->
<module name="Gimp"/>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</view>
... View more
07-22-2014
04:31 PM
I just had to deal with this issue. I am surprised to not see any good answers.
So I had to figure it out:
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">350px</param>
<module name="Gimp"/>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
You have to specify the number, followed by px for pixels. If you put only the number it just won't work.
Also, note that this height is really the height of the chart itself. You have to account for an extra 50 pixels for the frame.
... View more
06-12-2014
10:32 AM
2 Karma
The corrected query is:
search... | fields + user, country| eventstats dc(user) as totalcount | stats dc(user) AS Users by country, totalcount | eval countrypercent=Users/totalcount*100 | sort - Users
The problem with the original query is that it didn't pass totalcount in the stats statement.
So the percentage could not be calculated.
... View more
05-07-2014
04:58 PM
Question 1: I would recommend using one or the other.
By using both you are duplicating the workload. On one hand you create a summary index that sits in your search head and which is maintained by your scheduled search. On the other you are creating another summary index (the accelerated search) in your indexers, which is maintained by the automation built in for acceleration. This automation will run every 10 minutes to update your "accelerated summary index".
The advantage of using summary index is that it's faster to search the data in the summary index if you are on the same search head. There is no loss due to network traffic.
The advantage of using accelerated search is that your data is searchable faster from any search head.
Question 2: it depends on which scheme you choose. If using the "scheduled searches + summary index" solution, if there are late arriving logs you will have data gaps.
On the other hand my understanding is that search acceleration will automatically go back and fill the gaps at the next update cycle.
... View more
05-07-2014
04:34 PM
I have just come to the conclusion that search acceleration is indeed executed on a cron schedule. we see a strong spike of search activity every 10 minutes on the dot. And all the users are those who have created many accelerated searches.
Now I would really appreciate it if someone could tell us how we can randomize this activity. According to the doc, this is not controllable.
... View more
03-31-2014
02:24 PM
Well I finally found the time to investigate this issue. Here is the solution:
index=os sourcetype=ps host=lvp-snp-prsplnki* splunkd search NOT splunk-system-user | multikv fields pctCPU USER | rex field=raw "--user=(? .+) --pro" | where IsNotNull(USER) | timechart span=1m useother=false limit=0 sum(pctCPU) by SPL_USER
It seems that many things in the logs changed since this used to work.
... View more
03-27-2014
09:45 AM
Thanks for all your efforts MuS.
I just tried it with the simplest way you proposed, and, to my great surprise, it worked. The one thing I can tell you is that the simplest way didn't work originally. I remember that I had to filter for pctCPU so that I don't get to much data to sift through, and then strangely enough, our infrastructure team ran some updates on the hosts, and it stopped working altogether. So I went overboard with more complex approaches. But now, I just removed the "pctCPU" from the search, and it's back to working as it should have in the first place. So thank you so much!
... View more
03-26-2014
02:38 PM
1 Karma
For JSChart add an empty title, like this:
For example:
<param name="charting.chart">area</param>
<param name="charting.axisTitleX.text"></param>
<module name="JSChart">
... View more
03-05-2014
01:33 PM
Sorry, it doesn't work.
As a matter of fact I think I looked into that possibility. But I didn't expect it to work because when running the query without timechart, if I open the CPUPCT field in the left pane, it identifies it as "CPUPCT (numeric)".
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
Karma from
| User | Karma Count |
|---|---|
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
Karma given to
