Dashboards & Visualizations

Dashboards created in Splunk 6.2 are not rendered correctly in Splunk Mobile App

rdeleonsplunk
Path Finder

Dashboards created in Splunk 6.2 are not showing up correctly on Splunk Mobile App. However, dashboards that were created in an older version of Splunk (ver. 6.1) are rendered correctly (but the time picker is defaults to "All Time" even when the default is set to "Today").

After some investigation I've noticed that dashboards created in Splunk 6.2 uses different XML tags compared to the Splunk 6.1. See examples below:

Splunk 6.1:

<dashboard>
  <label>Dashboard: Foobar</label>
  <row>
    <panel>
      <chart>
        <searchString>index=foo foobar by foobar_type </searchString>
        <earliestTime>-7d@h</earliestTime>
        <latestTime>now</latestTime>
       ....

Splunk 6.2:

<dashboard>
  <label>Dashboard: Foobar</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=foo foobar by foobar_type</query>
          <earliest>@d</earliest>
          <latest>now</latest>
        </search>

The workaround right now is to manually edit the source and use the old XML tags (Splunk 6.1) to display the report.
But the Time Picker drop down is still not rendered correctly in Splunk Mobile App.

1 Solution

Suda
Communicator

I faced the same issue. Finally, I found it is a limitation by design.

We can find the current Mobile Access (1.0.1) supports only 5.0.x, 6.0.x and 6.1.x, NOT 6.2.x.
"Splunk Enterprise version support" topic on Mobile Access 1.0.1 documents.

So, we need to wait newer version Mobile Access which can support 6.2.x.

And I appreciate your workaround information.

Thank you.

View solution in original post

rdeleonsplunk
Path Finder

Btw, the Time Picker works in Splunk Mobile App if the old tags are used.

For example, the fieldset tag works when earliestTime and latestTime tags are used.

However, even if you set the default value of the token in the dashoard Splunk Mobile App internally defaults to "All Time". That's why when you first open the dashboard it will run an All Time query. You can cancel the query by picking a new time from the time picker. This can be a performance hog the search head especially if there a lot of Splunk Mobile App users in your Enterprise installation. The quick and dirty workaround is to create dashboards with hardcoded time-range and just label the dashboard accordingly, i.e. Chart (Today), Chart (Yesterday), etc.

Suda
Communicator

I faced the same issue. Finally, I found it is a limitation by design.

We can find the current Mobile Access (1.0.1) supports only 5.0.x, 6.0.x and 6.1.x, NOT 6.2.x.
"Splunk Enterprise version support" topic on Mobile Access 1.0.1 documents.

So, we need to wait newer version Mobile Access which can support 6.2.x.

And I appreciate your workaround information.

Thank you.

Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...