The functional purpose of this is to define a custom span value for searches inside my views, to generate charts as much as accurate as possible, with respect to JS chart limits of points in a chart.
For Simple XML views, i have a macro which at the very end will return a span value:
macros.conf
[inline_customspan(2)]
args = type,hostname
definition = [ search index="nmon" sourcetype="nmon_data" $type$ $hostname$ | head 1 | addinfo\
| eval earliest=if(info_min_time == "0.000", info_search_time,info_min_time)\
| eval latest=if(info_max_time == "+Infinity", info_search_time,info_max_time)\
| eval searchStartTIme=strftime(earliest,"%a %d %B %Y %H:%M")\
| eval searchEndTime=strftime(latest,"%a %d %B %Y %H:%M")\
| eval Difference = (latest - earliest)\
| eval span=case(\
info_min_time == "0.000", "2m",\
Difference > (3000*24*60*60),"4d",\
Difference > (2000*24*60*60),"3d",\
Difference > (1000*24*60*60),"2d",\
Difference > (500*24*60*60),"1d",\
Difference > (333*24*60*60),"12h",\
Difference > (166*24*60*60),"8h",\
Difference > (83*24*60*60),"4h",\
Difference > (41*24*60*60),"2h",\
Difference > (916*60*60),"1h",\
Difference > (833*60*60),"55m",\
Difference > (750*60*60),"50m",\
Difference > (666*60*60),"45m",\
Difference > (583*60*60),"40m",\
Difference > (500*60*60),"35m",\
Difference > (416*60*60),"30m",\
Difference > (333*60*60),"25m",\
Difference > (250*60*60),"20m",\
Difference > (166*60*60),"15m",\
Difference > (83*60*60),"10m",\
Difference > (66*60*60),"5m",\
Difference > (50*60*60),"4m",\
Difference > (33*60*60),"3m",\
Difference > (16*60*60),"2m",\
Difference > (8*60*60),"1m",\
Difference > (2*60*60),"30s",\
Difference <= (2*60*60),"10s"\
)\
| eval spanrestricted=case(\
info_min_time == "0.000", 2*60,\
Difference > (916*60*60),60*60,\
Difference > (833*60*60),55*60,\
Difference > (750*60*60),50*60,\
Difference > (666*60*60),45*60,\
Difference > (583*60*60),40*60,\
Difference > (500*60*60),35*60,\
Difference > (416*60*60),30*60,\
Difference > (333*60*60),25*60,\
Difference > (250*60*60),20*60,\
Difference > (166*60*60),15*60,\
Difference > (83*60*60),10*60,\
Difference > (66*60*60),5*60,\
Difference > (50*60*60),4*60,\
Difference > (33*60*60),180,\
Difference > (16*60*60),"120",\
Difference > (8*60*60),"60",\
Difference > (2*60*60),"30",\
Difference <= (2*60*60),"10"\
)\
| eval span=case(spanrestricted < interval, interval, spanrestricted >= interval, span, isnull(interval), span)\
| return span ]
iseval = 0
Then, in my simple xml views, i call the search like:
index="nmon" sourcetype="nmon_data" type="LPAR" $hostname$ | `$timefilter$` | $indicator$ | $aggregate$ | timechart `inline_customspan(type=LPAR,$hostname$)` limit=0 useother=f $statsmode$(usage) As usage by hostname
For Web framework views:
I have the same macro but without the return statement:
[inline_customspan_django(2)]
args = type,hostname
definition = head 1 | addinfo\
| eval earliest=if(info_min_time == "0.000", info_search_time,info_min_time)\
| eval latest=if(info_max_time == "+Infinity", info_search_time,info_max_time)\
| eval searchStartTIme=strftime(earliest,"%a %d %B %Y %H:%M")\
| eval searchEndTime=strftime(latest,"%a %d %B %Y %H:%M")\
| eval Difference = (latest - earliest)\
| eval span=case(\
info_min_time == "0.000", "2m",\
Difference > (3000*24*60*60),"4d",\
Difference > (2000*24*60*60),"3d",\
Difference > (1000*24*60*60),"2d",\
Difference > (500*24*60*60),"1d",\
Difference > (333*24*60*60),"12h",\
Difference > (166*24*60*60),"8h",\
Difference > (83*24*60*60),"4h",\
Difference > (41*24*60*60),"2h",\
Difference > (916*60*60),"1h",\
Difference > (833*60*60),"55m",\
Difference > (750*60*60),"50m",\
Difference > (666*60*60),"45m",\
Difference > (583*60*60),"40m",\
Difference > (500*60*60),"35m",\
Difference > (416*60*60),"30m",\
Difference > (333*60*60),"25m",\
Difference > (250*60*60),"20m",\
Difference > (166*60*60),"15m",\
Difference > (83*60*60),"10m",\
Difference > (66*60*60),"5m",\
Difference > (50*60*60),"4m",\
Difference > (33*60*60),"3m",\
Difference > (16*60*60),"2m",\
Difference > (8*60*60),"1m",\
Difference > (2*60*60),"30s",\
Difference <= (2*60*60),"10s"\
)\
| eval spanrestricted=case(\
info_min_time == "0.000", 2*60,\
Difference > (916*60*60),60*60,\
Difference > (833*60*60),55*60,\
Difference > (750*60*60),50*60,\
Difference > (666*60*60),45*60,\
Difference > (583*60*60),40*60,\
Difference > (500*60*60),35*60,\
Difference > (416*60*60),30*60,\
Difference > (333*60*60),25*60,\
Difference > (250*60*60),20*60,\
Difference > (166*60*60),15*60,\
Difference > (83*60*60),10*60,\
Difference > (66*60*60),5*60,\
Difference > (50*60*60),4*60,\
Difference > (33*60*60),180,\
Difference > (16*60*60),"120",\
Difference > (8*60*60),"60",\
Difference > (2*60*60),"30",\
Difference <= (2*60*60),"10"\
)\
| eval span=case(spanrestricted < interval, interval, spanrestricted >= interval, span, isnull(interval), span)
iseval = 0
Then, in my web framework views, i first set an input form:
<tr>
<td>
<p></p>
<b>Timechart Auto Interval definition:</b>
</td>
<td>
<p></p>
{% dropdown id="interval-dropdown" managerid="interval-definition" valueField="span" selectFirstChoice="true" showClearButton=false value="$valuesspan$"|token_safe %}
</td>
</tr>
Then, the associated searchmanager:
<!-- Interval Definition (span) -->
{% searchmanager
id="interval-definition" search='index=nmon sourcetype=nmon_data type=TOP hostname=$valueshostname$ | `inline_customspan_django(type=TOP,hostname=$valueshostname$)`'|token_safe
autostart=True
cache=False
earliest_time="$earlyval$"|token_safe
latest_time="$lateval$"|token_safe
auto_cancel=60
preview=True %}
And finally, the searchmanager wich will use that token:
{% searchmanager
id="timesearch-cpu"
search='index=nmon sourcetype=nmon_data type=TOP hostname=$valueshostname$ Command=$valuescommand$ | dedup _time,pct_CPU,PID,Command,hostname | eval limit=(logical_cpus*100) | where pct_CPU<=limit | $valuesincrease$ | stats sum(pct_CPU) As pct_CPU,last(logical_cpus) As logical_cpus by _time,Command | eval conso_per_core=(pct_CPU/100) | stats sum(conso_per_core) As conso_per_core by _time,Command | timechart span=$valuesspan$ useother=f limit=20 $valuesstats$(conso_per_core) as "Usage_per_single_core" by Command'|token_safe
earliest_time="$earlyval$"|token_safe
latest_time="$lateval$"|token_safe
cache=False
auto_cancel=60
preview=True %}
All that stuff is available within the context of the Nmon Splunk App:
https://apps.splunk.com/app/1753/
... View more