Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About phoenixdigital
phoenixdigital
Builder
Member since:
02-08-2011
04-01-2026
Community Statistics
| Posts | 280 |
| Solutions | 25 |
| Karma Given | 33 |
| Karma Received | 77 |
| Member Since | 02-08-2011 |
Activity Feed
- Got Karma for Splunk Addon Builder 4.5.1 import/export broken on Splunk 10.2.1. 2 weeks ago
- Posted Splunk Addon Builder 4.5.1 import/export broken on Splunk 10.2.1 on All Apps and Add-ons. 04-01-2026 01:53 AM
- Got Karma for Re: Terminate User Session. 08-05-2022 12:07 AM
- Got Karma for Re: Realtime clock of Splunk server time on dashboard?. 06-10-2022 05:49 AM
- Got Karma for Indexing a CSV data file with more than one set of data. 04-06-2021 04:39 PM
- Got Karma for Can you hard code a color for a value range in Calendar Heat Map?. 06-05-2020 12:49 AM
- Karma Re: unarchive_cmd for decoding binary file with python script for MuS. 06-05-2020 12:48 AM
- Karma Re: unarchive_cmd for decoding binary file with python script for micahkemp. 06-05-2020 12:48 AM
- Karma Re: Splunk App for Stream: How to configure a universal forwarder to monitor DNS and DHCP? for vshcherbakov_sp. 06-05-2020 12:48 AM
- Karma Re: Is there a logging or debug tool to identify all props and transforms that are applied to a particular sourcetype to isolate rogue field extractions? for rjthibod. 06-05-2020 12:48 AM
- Karma Re: Is there documentation on forwarder behavior for various types of inputs when an indexer goes offline? for ryanoconnor. 06-05-2020 12:48 AM
- Karma Re: Search Head Deployer in a SH Cluster: What happens to local? for teunlaan. 06-05-2020 12:48 AM
- Karma Re: How is Server Identified After clone-prep-clear-config Script is Run? for jconger. 06-05-2020 12:48 AM
- Got Karma for Search Head Deployer in a SH Cluster: What happens to local?. 06-05-2020 12:48 AM
- Got Karma for Is there a logging or debug tool to identify all props and transforms that are applied to a particular sourcetype to isolate rogue field extractions?. 06-05-2020 12:48 AM
- Got Karma for How to update a global lookup file via REST API for a particular app in a search head cluster?. 06-05-2020 12:48 AM
- Got Karma for How to update a global lookup file via REST API for a particular app in a search head cluster?. 06-05-2020 12:48 AM
- Got Karma for setup.xml to modify/create an entry in app.conf (or anywhere else). 06-05-2020 12:48 AM
- Got Karma for Re: Chart not obeying charting.axisY.includeZero=false. 06-05-2020 12:48 AM
- Karma SA-Eventgen doesn't work? for laiyongmao. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-01-2014
05:49 PM
While this search works on the licencing server it does not appear to work from a search head.
| REST /services/licenser/licenses/
Is it possible to get the total amount you can index from a remote search head?
... View more
06-29-2014
11:30 PM
I am seeing the same issue with IE 9
None of the links for drilldowns work and they are configured in the same basic format.
<table>
<title>Top detected logtypes from generic</title>
<searchString>sourcetype=generic | stats count by logtype | sort -count | table logtype, count</searchString>
<earliestTime>$time_picker.earliest$</earliestTime>
<latestTime>$time_picker.latest$</latestTime>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="count">20</option>
<option name="table.drilldown">all</option>
<drilldown target="Generic Detailed View">
<link>
/app/my_app/generic_detailed_view?form.logtype=$row.logtype$
</link>
</drilldown>
</table>
Works fine in Chrome however the client has specifically requested Splunk must work with IE.
... View more
05-22-2014
05:07 PM
As Nick pointed out to me the search in my original post was not actually the one dying it was an inline one further down that was causing the issue.
... View more
05-22-2014
01:33 PM
OK I tracked it down and it was not ResultsValueSetter. It was the search.
<module name="Search">
<param name="search"><![CDATA[
sourcetype=somedata fred=$this$ earliest=`date_find_start_of_financial_year("$Year$", "$Month$")` latest=`from_month("$Year$", "$Month$", "")` Energy=*
| dedup _time | eval _time = _time-(3600*6) | eval date_hour = strftime(_time, "%H") | eval date_monthNum = strftime(_time, "%m") | eval date_month = strftime(_time, "%b") | eval date_year = strftime(_time, "%Y") | eval date_day = strftime(_time, "%d")
| eval stripTimeDayOnly = strftime(_time,"%d %B %Y")
| eventstats sum(Energy) as Consumption, avg(co2) as Scope1 by stripTimeDayOnly
| eval dayValue = Consumption * Scope1 / 24
| stats sum(dayValue) as monthlyTotal by date_year, date_monthNum
| stats sum(monthlyTotal) as FyTotal
| fields FyTotal
]]></param>
Sure there is some double handling of stats there but the search works when pasted directly into a Splunk search.
However it wont work in the Search Module... unless
you change
| stats sum(monthlyTotal) as FyTotal
| fields FyTotal
to
| stats sum(monthlyTotal) as FyTotal | fields FyTotal
Then its fixed!!
Go figure I have no idea why it breaks only at that point. But newlines are the culprit, well at least some newlines.
When I get the time I will try to make a reproducable bug and submit it to Splunk. So the spotlight is off SideViewUtils, it was innocent of this crime. The reason this last ResultsValueSetter killed all previous ones was because the search calling it had failed. Failed silently mind you. Nothing obvious in splunkd.log that I could find.
Will post again if I can reproduce in a simpler dashboard.
... View more
05-08-2014
04:08 PM
I did initially think it might have been the *s as well. But these did not seem to affect it. I tested this previously and it made no difference to the issue.
I will try moving this to a publicly visible Splunk instance so you can see it in action Nick. Maybe later today or early next week.
So the first HTML module in the example above correctly displays $cud_company$ then the ResultsValueSetter (without a *) is performed which should set $FyTotal$. The very next HTML module now has no value for $cud_company$. Also all previously set ResultsValueSetter variable are "cleared" as well.
... View more
05-06-2014
11:35 PM
Thanks for the suggestion Nick I did have multiple offending autoRun="True"
Removing them sadly did not resolve the issue. I have emailed you at the support address as I would prefer not to post up the entire dashboard.
Thanks
... View more
05-01-2014
06:13 PM
1 Karma
I was hoping someone might be able to shed some light on an issue I have encountered recently which has been a bit frustrating to resolve.
I have an advanced XML dashboard which performs a range of nested searches (about 8 searches) which each populate some variables with ResultsValueSetter.
The final set of results then populates a HTML module to display all the results set by ResultsValueSetter to the user.
The issue I have come across is that after a particular ResultsValueSetter module all the previously set variables then disappear.
The other weirdness is that the dashboard is sometimes inconsistent between a windows and Unix version of Splunk.
So below is a snippet of the dashboard XML where it occurs. During the debugging process I put in two HTML modules to track the variables set by ResultsValueSetter.
The first HTML Module (for debug) shows the $cud_company$ which was set correctly at an earlier ResultsValueSetter (from a previous search). However after the subsequent ResultsValueSetter the value of $cud_company$ (and about 20 other variables set) dissapears.
<!-- Search 5 to determine the Invoice Details and also pull in any comments if they exist -->
<module name="PostProcess" group="Invoice Details">
<param name="search"><![CDATA[
`report_invoice_details($Mirn$,$Year$,$Month$,$reportIn_Total$)`
]]></param>
<!-- TESTING MODULE FOR TRACKING ISSUE OF LAST ResultsValueSetter losing all data -->
<module name="HTML" layoutPanel="panel_row1_col1">
<param name="html"><![CDATA[
<h1>cud_company - $cud_company$ and FyTotal = $FyTotal$</h1>
]]></param>
</module>
<module name="ResultsValueSetter">
<param name="fields">FyTotal</param>
<!-- TESTING MODULE FOR TRACKING ISSUE OF LAST ResultsValueSetter losing all data -->
<module name="HTML" layoutPanel="panel_row1_col1">
<param name="html"><![CDATA[
<h1>cud_company - $cud_company$ and FyTotal = $FyTotal$</h1>
]]></param>
</module>
I will be rebuilding the entire dashboard in stages from scratch putting in each search until I see it break in the next few days but thought I would post this up to see if anyone else can see any glaring error here.
Is there a limit in the number of nested elements with advanced XML?
Is there a limit to the number of subsearches you can perform in Splunk?
... View more
04-15-2014
05:38 PM
One other question what purpose/resolution would crcSalt = have if the log is rotated out and a brand new file of the exact name is created.
Wouldn't the crcSalt be identical?
... View more
04-15-2014
05:09 PM
Just experienced the same issue issues with a clients machine.
Logrotations have been fine for the last year or so.
Upgraded Splunk Universal Forwarder last week and got this message lastnight including the "File growth rate must be higher than indexing or forwarding rate."
Other logfiles rotated fine and continued logging to Splunk
... View more
04-08-2014
05:36 PM
dropEventsOnQueueFull (in outputs.conf) seems to have resolved it even though the manual seems to indicate it does the exact opposite and drops NEW events.
http://docs.splunk.com/Documentation/Splunk/latest/admin/outputsconf
May I recommend to a Splunk staff member to reword the manual entry for this to be less amiguous.
If set to a positive number, wait seconds before throwing out all new events until the output queue has space.
change to
If set to a positive number, wait seconds before throwing out all new events (already in the queue) until the output queue has space. New events arriving at the indexer will still be placed onto the queue.
The way it is currently worded seems to indicate that once the queue is full any new events arriving at the indexer will be dropped. It makes no mention of removing/dropping data from the queue itself.
Is there a better solution here?
I have also tried setting queues in inputs.conf which has no effect.
... View more
04-07-2014
10:27 PM
Hi All,
We have a customer who could not justify the cost of a clustered solution. So they went down the following route.
Basic System
2x Indexers with Splunk frontends
3x Universal Forwarders
Data from Forwarders
One set of polling logs goes to Indexer-1
A second set of logs goes to Indexer-2 (same data sent to Indexer-1 but less frequent polling)
And the Unix TA logs go to both indexers
It was envisioned that if Indexer-1 dies Indexer-2 will still be chugging along with a similar data set that is polled less frequently.
This all currently works perfectly.
However if you take one of the indexers offline the universal forwarders queues fill up as they cannot send data to the offline indexer. The whole indexer grinds to a halt and no new data is sent to the indexer that is still online.
While I understand the system is protecting against data loss. The whole system grinding to a halt is actually much worse.
I thought blockOnCloning in outputs.conf might resolve this as the Unix TA logs are cloned but based on the default behaviour of this is not the issue causing the queue to fill up either.
dropEventsOnQueueFull does not appear behave how I would expect it to behave. Docuemntation seems to indicate it doesn't drop the queue contents it cannot deliver (due to indexer outage) it just keeps the queue full and drops any new data. So instead of getting rid of the data that is causing the blockage and continuing it just drops everything new??? Seems a bit backwards to me.
Is there any way to resolve this?
I dont care if data is lost for the offline indexer I just want my remaining online indexer to keep getting data.
... View more
04-04-2014
01:04 AM
Excellent thanks again Nick. See I knew it would be a simple answer and thanks for clarifying why I had trouble seeing it with firebug.
Infact it is actually so simple I am a little embarrassed I didnt just take a stab in the dark and test that.
... View more
04-03-2014
06:23 PM
I found a solution but it is by no means ideal. I am sure there is a better way with access to the ModuleID from javascript.
myCustomModule.conf
[module]
# The JavaScript name of the module
className = Splunk.Module.myCustomModule
# The module class to subclass from
superClass = Splunk.Module.DispatchingModule
description = Another method for giving people access to specific D3 charts who need to use advanced.xml or sideViewUtil
[param:UniqueID]
required = False
default = chart_1
label = This is required when you put more than one of these modules on the same dashboard
myCustomModule.html
<%page args="module"/>
<div id="${module['UniqueID']}" class='with-3d-shadow with-transitions'>
<svg> </svg>
</div>
myCustomModule.js
..... standard of code for module which pulls in parameters...
var parentThis = this;
// add chart to page
nv.addGraph(function() {
...... more code for chart construction.....
// add chart to div
d3.select('#' + parentThis.UniqueID + ' svg')
.datum(chartdata)
.transition().duration(500).call(chart);
... View more
04-03-2014
04:57 PM
Hi All,
I am having a small issue which I am sure has a quite simple answer but I am yet to discover it.
So I have written a custom module which uses Javascript to populate the contents of a HTML div with a particular <div id="chart1">.
myCustomModule.html
<div id="chart1" class='with-3d-shadow with-transitions'>
<svg> </svg>
</div>
myCustomModule.js
..... lots of code for modules...
// add chart to div
d3.select('#chart1 svg')
.datum(chartdata)
.transition().duration(500).call(chart);
Now this is all well and good and works until I add another of the same custom module now I cant identify which div is which.
So digging through Splunks internal modules I came across a way of getting the ID assigned by Splunk to the module.
So I now have the following
myCustomModule.html
<%page args="module"/>
<div id="${module['id']}_chart" class='with-3d-shadow with-transitions'>
<svg> </svg>
</div>
Now this correctly adds the modules ID to output this HTML
<div id="myCustomModule_0_11_0_chart" class='with-3d-shadow with-transitions'>
<svg> </svg>
</div>
etc..............
<div id="myCustomModule_0_14_0_chart" class='with-3d-shadow with-transitions'>
<svg> </svg>
</div>
This is great and extactly what I want. My only issue now is how do I get the module ID from within my myCustomModule.js?
myCustomModule.js (see **HowDoIPutTheModuleIDHere** for where I want the ModuleID to make myCustomModule_0_14_0_chart)
..... lots of code for modules...
// add chart to div
d3.select('#***HowDoIPutTheModuleIDHere*** svg')
.datum(chartdata)
.transition().duration(500).call(chart);
I have been digging around but haven't found anything yet any help would be greatly appreciated.
... View more
04-01-2014
08:33 PM
Simple error. I didn't have the app installed on indexer2 which means that the index did not exist for the Unix TA. So the data had nowhere to go.
Installed the app and everything is working as expected.
... View more
04-01-2014
08:20 PM
Hi All,
I have installed the Unix TA onto a Universal Forwarder and am wanting its results be send to two independent indexers.
I have installed the Unix TA on a universal forwarder and activated it.
Tow send the same data to two indexers you use defaultGroup in outputs.conf from the documentation
http://docs.splunk.com/Documentation/Splunk/6.1.2/Admin/Outputsconf
So I have the following configs but the data is still only appearing at the indexer1 and not the indexer2.
vi /opt/splunkforwarder/etc/system/local/outputs.conf
[tcpout]
defaultGroup=indexer1,indexer2
[tcpout:indexer1]
server=10.10.10.10:9997
compressed=true
[tcpout:indexer2]
server=10.10.10.12:9997
compressed=true
inputs.conf in system probably not important for this but I thought I would include it for completeness. This works btw and the data goes to the correct indexers.
vi /opt/splunkforwarder/etc/system/local/inputs.conf
[default]
host = forwarder1
[monitor:///var/log/info.log]
disabled = false
followTail = 0
host = forwarder1
sourcetype = holdingRegisters
_TCP_ROUTING = indexer1
[monitor:///var/log/info-alt.log]
disabled = false
followTail = 0
host = forwarder1
sourcetype = holdingRegisters
_TCP_ROUTING = indexer2
... View more
03-20-2014
04:39 PM
Actually it might be possible with this in transforms.conf
[ ]
REGEX =
FORMAT = sourcetype::
DEST_KEY = MetaData:Sourcetype
http://docs.splunk.com/Documentation/Splunk/6.0.2/Data/Advancedsourcetypeoverrides
But I am straying far from my original question now 🙂
... View more
03-20-2014
04:34 PM
This is exactly what I came here to post but you beat me to it.
The data file example I provided about is only an example. There are actually 6 header rows and I am getting 6 errors.
So yes there is nothing really I can do about these errors I just need to live with them.
Thanks for the regexp tip though.
I dont think I will be able to extract both sets of data into different sourcetypes unless transforms.conf allows me to override a sourcetype setting for a particular event if it matches a particular regexp.
... View more
03-19-2014
11:09 PM
Hi All,
I am getting some annoying messages in splunkd.log
03-20-2014 15:47:27.631 +1000 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Thu Mar 20 16:45:00 2014). Context: source::/opt/mydata/PUBLIC_P5MIN_201403201550_20140320154535.CSV|host::amo-web|p5_reports|38558
Now I know what this error means but it doesnt really fit with my data. But I suspect I know what its occurring I just want to stop it.
So I have my CSV data file which is of the following format
I,P5MIN,LOCAL_PRICE,1,RUN_DATETIME,DUID,INTERVAL_DATETIME,LOCAL_PRICE_ADJUSTMENT,LOCALLY_CONSTRAINED,LASTCHANGED
D,P5MIN,LOCAL_PRICE,1,"2014/03/19 12:00:00",DATA1,"2014/03/19 12:00:00",0,0,"2014/03/19 11:55:29"
D,P5MIN,LOCAL_PRICE,1,"2014/03/19 12:00:00",DATA1,"2014/03/19 12:05:00",0,0,"2014/03/19 11:55:29"
D,P5MIN,LOCAL_PRICE,1,"2014/03/19 12:00:00",DATA1,"2014/03/19 12:10:00",0,0,"2014/03/19 11:55:29"
D,P5MIN,LOCAL_PRICE,1,"2014/03/19 12:00:00",DATA1,"2014/03/19 12:15:00",0,0,"2014/03/19 11:55:29"
D,P5MIN,LOCAL_PRICE,1,"2014/03/19 12:00:00",DATA1,"2014/03/19 12:20:00",0,0,"2014/03/19 11:55:29"
D,P5MIN,LOCAL_PRICE,1,"2014/03/19 12:00:00",DATA1,"2014/03/19 12:25:00",0,0,"2014/03/19 11:55:29"
I,P5MIN,REGIONSOLUTION,4,RUN_DATETIME,INTERVAL_DATETIME,REGIONID,RRP
D,P5MIN,REGIONSOLUTION,4,"2014/03/19 12:00:00","2014/03/19 12:00:00",STATE1,54.07
D,P5MIN,REGIONSOLUTION,4,"2014/03/19 12:00:00","2014/03/19 12:05:00",STATE1,53.8101
D,P5MIN,REGIONSOLUTION,4,"2014/03/19 12:00:00","2014/03/19 12:10:00",STATE1,53.8101
D,P5MIN,REGIONSOLUTION,4,"2014/03/19 12:00:00","2014/03/19 12:15:00",STATE1,53.8101
Now as you can see there are two sets of data in this file. I am only interested in the last section of data to go into Splunk.
This is achieved with the following props.conf
[p5_reports]
KV_MODE = none
SHOULD_LINEMERGE = false
TRANSFORMS-filterprices = setnull,getFiveMinutePrices
REPORT-extracts = fiveMinuteCsvExtract
TIME_PREFIX=D,P5MIN,REGIONSOLUTION,[^,]*,[^,]*
TIME_FORMAT=%y/%m/%d %H:%M:%S
and associated transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[getFiveMinutePrices]
REGEX = ^D,P5MIN,REGIONSOLUTION,(.*)
DEST_KEY = queue
FORMAT = indexQueue
[fiveMinuteCsvExtract]
DELIMS = ","
FIELDS = "I","P5MIN","REGIONSOLUTION","4","RUN_DATETIME","INTERVAL_DATETIME","REGIONID","RRP"
Now this all works fine and my data comes in and _time is associated with the second time field INTERVAL_DATETIME.
But my logfiles are FULL of these
03-20-2014 15:47:27.631 +1000 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Thu Mar 20 16:45:00 2014). Context: source::/opt/mydata/PUBLIC_P5MIN_201403201550_20140320154535.CSV|host::amo-web|p5_reports|38558
So is props.conf running first and generating these errors BEFORE I have filtered out only the stuff I want?
ie at what point is the timestamp looked for?
after transforms?
before tranforms?
And for bonus points it will be near impossible to extract both these types of data into seperate sourcetypes as the _times I want will be in different places?
... View more
01-06-2014
05:44 PM
1 Karma
Is there a better way to do this yet via the web console?
We had an issue where someone was on leave and had a Splunk session open which they had configured to refresh every 5 seconds. They have been told not to do this anymore.
There was noone on staff over Christmas/New Year who could have performed this ssh command.
I would have hoped there should be an easier way?
Apart from restarting Splunk that is.
... View more
11-05-2013
04:13 PM
If they are using the web interface to create these dashboards I am not sure how you can force them to use a 'custom' template as opposed to the default one.
You could go down the path of editing the default template but it would probably have to be redone each time an update to Splunk is applied.
http://answers.splunk.com/answers/4502/edit-the-default-dashboard-template
... View more
11-05-2013
02:47 PM
With Splunk 6 the HTML in the AccountBar might be slightly different. So it might be a good idea to get a copy of it by viewing the HTML source of any dashboard then adjust it accordingly for your own HTML module.
... View more
11-05-2013
02:42 PM
I ended up just making a HTML module with minimal information and not including the broken AccountBar module.
<module name="HTML" layoutPanel="appHeader">
<param name="html"><![CDATA[
<a class="appLogo" href="/en-US/app/myapp"></a>
<h1>My App</h1>
<a class="splunkPoweredLogo" target="_blank" href="http://www.splunk.com"></a>
<a href="/en-GB/account/logout" style="float: right;">Logout</a>
]]></param>
</module>
... View more
10-30-2013
04:56 PM
Ok I thought I would give this a try in flash to see how they printed before I dug too deep into d3js charts.
I have constructed searches in this example that will work without my data so anyone can try these examples.
So I have this advancedXML and it works however see next section where I am having issues.
<view autoCancelInterval="90" isVisible="true" objectMode="SimpleDashboard" onunloadCancelJobs="true" refresh="-1" template="dashboard.html">
<label>MultiChartTypes</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="maxSize">1</param>
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
</module>
<module name="DashboardTitleBar" layoutPanel="viewHeader"/>
<module name="Message" layoutPanel="navigationHeader">
<param name="maxSize">1</param>
<param name="filter">splunk.search.job</param>
<param name="level">warn</param>
<param name="clearOnJobDispatch">True</param>
</module>
<module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="True">
<param name="search">| gentimes start=01/01/2013 | eval field1 = random() % 100 | eval field2 = random() % 150 | eval date_month = strftime(starttime, "%b") | dedup date_month | fields date_month field1 field2</param>
<param name="latest">+6m</param>
<param name="earliest">0</param>
<module name="HiddenChartFormatter">
<param name="charting.data0">results</param>
<param name="charting.data0.jobID">@data.jobID</param>
<param name="charting.data1">view</param>
<param name="charting.data1.table">@data0</param>
<param name="charting.data1.columns">[0,1]</param>
<param name="charting.data2">view</param>
<param name="charting.data2.table">@data0</param>
<param name="charting.data2.columns">[0,2]</param>
<param name="charting.chart">column</param>
<param name="charting.chart.data">@data1</param>
<param name="charting.chart2">line</param>
<param name="charting.chart2.data">@data2</param>
<param name="charting.layout.charts">[@chart,@chart2]</param>
<module name="FlashChart">
<module name="Gimp"/>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</view>
Now however I have a primary base search and I fire off many sub searches(PostProcesses) from this and this is where the chart fails.
<view autoCancelInterval="90" isVisible="true" objectMode="SimpleDashboard" onunloadCancelJobs="true" refresh="-1" template="dashboard.html">
<label>MultiChartTypes</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="maxSize">1</param>
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
</module>
<module name="DashboardTitleBar" layoutPanel="viewHeader"/>
<module name="Message" layoutPanel="navigationHeader">
<param name="maxSize">1</param>
<param name="filter">splunk.search.job</param>
<param name="level">warn</param>
<param name="clearOnJobDispatch">True</param>
</module>
<module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="True">
<param name="search">| gentimes start=01/01/2013 | eval field1 = random() % 100 | eval field2 = random() % 150 | eval date_month = strftime(starttime, "%b")</param>
<param name="latest">+6m</param>
<param name="earliest">0</param>
<module name="HiddenPostProcess" autoRun="True">
<param name="search">dedup date_month | fields date_month field1 field2</param>
<module name="HiddenChartFormatter">
<param name="charting.data0">results</param>
<param name="charting.data0.jobID">@data.jobID</param>
<param name="charting.data1">view</param>
<param name="charting.data1.table">@data0</param>
<param name="charting.data1.columns">[0,1]</param>
<param name="charting.data2">view</param>
<param name="charting.data2.table">@data0</param>
<param name="charting.data2.columns">[0,2]</param>
<param name="charting.chart">column</param>
<param name="charting.chart.data">@data1</param>
<param name="charting.chart2">line</param>
<param name="charting.chart2.data">@data2</param>
<param name="charting.layout.charts">[@chart,@chart2]</param>
<module name="FlashChart">
<module name="Gimp"/>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</view>
I am sure its something to do with this line which is using the base search. How do I use the postProcess search results?
<param name="charting.data0">results</param>
Also are there any more resources for d3js charts apart from this?
http://dev.splunk.com/view/SP-CAAAEN6
... View more
10-29-2013
11:38 PM
Ahhhh flash only. That will be what the issue is.
Thanks for the heads up.
I might have to look into d3js charts.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-01-2026
01:40 AM
|
