I have 4 dashboards each of which use 2-3 real time searches. Now watching the dashboards with firebug I can see that all my visualizations call Splunk with the realtime search ID to get the latest data at regular intervals. Now we have many users that would like to view these dashboards however it appears if two seperate users are viewing the same dashboard they will each have their own seperate realtime search running. Even though its the same search returning the same results. Is there any way to have both users dashboards calling for results from the same searchID thus reducing the number of real time searches in use by the system. Having to have multiple versions of the same real time search really limits the number of users on the system. Having shared real time searches would actually allow me to have 2 real time searches feed data to all 4 dashboards. I was reading up on the internals of real time searches yesterday as well as many questions here. I am sure I found a post from a few years ago where someone said they were looking at including this behavior into future versions of Splunk. If I can find it again I will post the link here. ... View more

I note that on this instructions from the manual you can remove the 'App' from the menu. http://docs.splunk.com/Documentation/Splunk/5.0.2/AdvancedDev/DefaultApp <module name="AccountBar" layoutPanel="appHeader"> <param name="mode">lite</param> </module> 'lite' however does not remove the items (in particular manager and app dropdowns) that are mentioned in the /opt/splunk/share/splunk/search_mrsparkle/modules/nav/AccountBar.conf When this is set to 'popup,' there are no links, the logo cannot be clicked, the view name is displayed instead of the app name, and there is a close button in the upper right. 'lite' mode displays only the account links and a back link, no logo or app menu. ... View more

Got posed a tricky question today for a search. We are monitoring a diesel generator which generates a number of alarms which are sent as a single integer with each bit of that integer meaning a particular alarm. ie bit 0 - high_rpm bit 1 - high_temp bit 2 - low_temp etc.... Now this generator is being polled every 5 seconds and data results are begin fed back into Splunk. So an event would look like this (where sectionCode identifies the generator) time_of_event, sectionCode=generator1, alarmCode, rpm, output_kw So I was asked to show a list of when alarms went on and off so I came up with this search. sourcetype="holdingRegisters" sectionCode=gen* | sort 0 sectionCode, _time asc | delta alarmCode AS alarmChange | search alarmChange!=0 | `gen_alarm_decode(alarmCode)` | sort 0 _time sectionCode desc | table _time, sectionCode, alarmCode, description and the macro gen_alarm_decode decodes the bitwise values into human readable terms. (this works fine) eval description=if(floor($bitVar$)%2>0,"High RPM, ","") | eval description=description + if(floor($bitVar$/2)%2>0,"High Temp, ","") | eval description=description + if(floor($bitVar$/4)%2>0,"Low Temp, ","") Now this search returns me a list of all entries where the alarmCode changed and what the remaining alarmCodes that were still set were. So results would look like this Sun 10:35pm, generator1, 0, Sun 10pm, generator1, 2, High Temp Sun 8pm, generator1, 3, High RPM, High Temp etc..... All well and good and I was pleased with my effort on that search. But I have been asked to change this to a more SCADA style output. Where the client sees a column for each alarm and its status. If the alarm is on it will list the time it turned on... when it goes off it will list the start and end times So it should be something like this (put in a pseudo csv/table format for display here) Time, sectionCode, alarmCode, high_rpm, high_temp, low_temp Sun 10:35pm, generator1, 0, - , 8pm-10:35pm, - Sun 10pm, generator1, 2, 8pm-10pm, 8pm-?, - Sun 8pm, generator1, 3, 8pm-?, 8pm-?, - etc..... Note ? above are for where the alarm is still on. The - are for when alarm is off. If it helps matters I have also decoded the bitwise field on our custom modbus poller. So really events look like this time_of_event, sectionCode=generator1, alarmCode, rpm, output_kw, bitAlarm0, bitAlarm1, bitAlarm2 The only reason I didn't mention it until now was because I didn't need those bitfields yet. Anyone have any thoughts. It has me slightly stumped. If I find a solution will post here regardless. ... View more

This is a follow on from my previous post http://splunk-base.splunk.com/answers/79823/custom-json-module-wont-do-post-processing I followed the example provided below to build a custom module that passes JSON data through in the 'Application Framework Cookbook' http://dev.splunk.com/view/SP-CAAADXY My new visualisations work perfectly when performing normal searches. <module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="True" > <param name="search">sourcetype="mySourceType" sectionCode=g* | fields sectionCode, other1, other2, _time</param> <param name="earliest">-60min</param> When I change the search to be <param name="earliest">rt-10m</param> <param name="latest">rt</param> It doesn't render at all let alone update in real time. My JS is here http://pastebin.com/3hENrdg0 I have looked at the equivalent SimpleResultsTable and SingleValue which both handle realtime but I can't find what makes these actuallywork with realtime. ... View more

Hi All, I followed the example provided below to build a custom module that passes JSON data through http://dev.splunk.com/view/SP-CAAADXY This was all well and good and worked perfectly however I found that it did not perform post processing. For example if I have the following AdvancedXML (on pastebin due to crap formatting ui) http://pastebin.com/KEsGEEQK Now you can see I have a post processing search occurring. However the example does not handle post processing. So after much stuffing around I analysed the SimpleResultsTable.py to see how it did it. See %SPLUNK_HOME%/share/splunk/search_mrsparkle/modules/results/SimpleResultsTable.py Now I ended up with this http://pastebin.com/YfVsu9g7 However it still doesn't perform the post process and I get all the results for sectionCode instead of the single one I am running where sectionCode="g01" on. Notice in my advancedXML I am also performing a simple table and it works perfectly and only shows the subset of data. Is there somewhere else I need to code in postprocessing? ... View more

Hi All, Having a sticky issue with adding another time restriction after the primary search. The data we have that comes in is hourly... however the official start day for recording the data is 6am. So we need to shift _time by six hours when performing searches. What we would like to do is this index="myIndex" Identifier="53xxxx15" earliest="-10mon@mon" latest="-1mon@mon" Temperature=* | dedup _time, Identifier sortby -_indextime | eval _time = relative_time(_time, "-6h") | timechart span=1mon sum(TheDataReportedHourly) as Monthly_Totals Please note the dedup is required as there are multiple data points for the same hour and identifier. We only want to use the most recent. Now obviously the above searches earliest and latest is locking to the month before the time shift occurs so data is being lost. We have attempted to add an earliest and latest later on in the search but it returns no data index="myIndex" Identifier="53xxxx15" earliest="-11mon@mon" latest="-1mon@mon" Temperature=* | dedup _time, Identifier sortby -_indextime | eval _time = relative_time(_time, "-6h") | search * earliest="-10mon@mon" latest="-2mon@mon" | timechart span=1mon sum(TheDataReportedHourly) as Monthly_Totals I have tried to have the second search do things like _time<"A date" or _time<anEpoch but these fail as well. ie index="myIndex" Identifier="53xxxx15" earliest="-10mon@mon" latest="-1mon@mon" | dedup _time, Identifier sortby -_indextime | eval _time = relative_time(_time, "-6h") | eval afterDate=strptime("1 Jan 2012","%d %b %Y") | eval beforeDate=strptime("1 Dec 2012","%d %b %Y") | eval timeEpoch=strptime(_time,"%d/%b/%Y %H:%M:%S") | search _time>afterDate AND _tim<beforeDate | table _time, timeEpoch, afterDate, beforeDate Anyone have any ideas how I can shift _time then perform another _time restriction? ... View more

Seems like a pretty simple thing I am trying to do but it wont work. I have some bitwise data which I want to convert into a string equivalent. So in this example I want to see if bit 0 or bit 1 is set. Bit0 = This Text Bit1 = That Text This search works perfectly sourcetype=blah | eval desc=if(floor(bitData)%2>0,"This Text, ","") | eval desc=desc+ if(floor(bitData/2)%2>0,"That Text, ","") | table _time, bitData, desc Now I actually have 16 bitfields and want to reuse this eval chain quite a bit so thought I would make a macro out of it. However this does not work Macro definition eval desc=desc+ if(floor($bitField$/2)%2>0,"That Text, ","") | eval desc=desc+ if(floor($bitField$/2)%2>0,"That Text, ","") This search does not work though sourcetype=blah | `myMacro(bitData)` | table _time, bitData, desc I get the errors Error in 'SearchParser': Missing a search command before ' '. Unknown search command 'gen'. What gives here? ... View more