Dashboards & Visualizations

Dashboards created in Splunk 6.2 are not rendered correctly in Splunk Mobile App

rdeleonsplunk
Path Finder

Dashboards created in Splunk 6.2 are not showing up correctly on Splunk Mobile App. However, dashboards that were created in an older version of Splunk (ver. 6.1) are rendered correctly (but the time picker is defaults to "All Time" even when the default is set to "Today").

After some investigation I've noticed that dashboards created in Splunk 6.2 uses different XML tags compared to the Splunk 6.1. See examples below:

Splunk 6.1:

<dashboard>
  <label>Dashboard: Foobar</label>
  <row>
    <panel>
      <chart>
        <searchString>index=foo foobar by foobar_type </searchString>
        <earliestTime>-7d@h</earliestTime>
        <latestTime>now</latestTime>
       ....

Splunk 6.2:

<dashboard>
  <label>Dashboard: Foobar</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=foo foobar by foobar_type</query>
          <earliest>@d</earliest>
          <latest>now</latest>
        </search>

The workaround right now is to manually edit the source and use the old XML tags (Splunk 6.1) to display the report.
But the Time Picker drop down is still not rendered correctly in Splunk Mobile App.

1 Solution

Suda
Communicator

I faced the same issue. Finally, I found it is a limitation by design.

We can find the current Mobile Access (1.0.1) supports only 5.0.x, 6.0.x and 6.1.x, NOT 6.2.x.
"Splunk Enterprise version support" topic on Mobile Access 1.0.1 documents.

So, we need to wait newer version Mobile Access which can support 6.2.x.

And I appreciate your workaround information.

Thank you.

View solution in original post

rdeleonsplunk
Path Finder

Btw, the Time Picker works in Splunk Mobile App if the old tags are used.

For example, the fieldset tag works when earliestTime and latestTime tags are used.

However, even if you set the default value of the token in the dashoard Splunk Mobile App internally defaults to "All Time". That's why when you first open the dashboard it will run an All Time query. You can cancel the query by picking a new time from the time picker. This can be a performance hog the search head especially if there a lot of Splunk Mobile App users in your Enterprise installation. The quick and dirty workaround is to create dashboards with hardcoded time-range and just label the dashboard accordingly, i.e. Chart (Today), Chart (Yesterday), etc.

Suda
Communicator

I faced the same issue. Finally, I found it is a limitation by design.

We can find the current Mobile Access (1.0.1) supports only 5.0.x, 6.0.x and 6.1.x, NOT 6.2.x.
"Splunk Enterprise version support" topic on Mobile Access 1.0.1 documents.

So, we need to wait newer version Mobile Access which can support 6.2.x.

And I appreciate your workaround information.

Thank you.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...