About ITWhisperer

ITWhisperer

As @gcusello says, with summary indexing, you have to bear in mind the licensing costs, and it partly depends on the sourcetype (stash vs non-stash), but it also depends on ingest- or workload- -based licensing model - for more details see here

ITWhisperer

Have you considered using a summary index to hold the extracted field(s)?

ITWhisperer

Hi @RanjiRaje Rather than trying to piggyback on someone else's issue, please start a new topic in Answers with details of your specific usecase, what you have tried so far, and the issues you are facing.

ITWhisperer

Here is an enhanced version of the dashboard which performs the actions you described (more or less). <form version="1.1" theme="light"> <label>Token-driven repetition save</label> <row> <panel> <table> <search> <query>| makeresults format=csv data="field value_1 value_2" | stats count as counter</query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <condition match="$result.counter$ > 1"> <eval token="current">if($result.counter$ > 0,$result.counter$,null())</eval> <set token="trace"></set> </condition> <condition> <set token="trace"></set> <unset token="current"/> </condition> </done> </search> <option name="drilldown">none</option> </table> </panel> <panel> <table> <search> <query>| makeresults format=csv data="field value_1 value_2" | eval spl=case(field="value_1","| inputlookup test_2.csv | search NOT field=\""+field+"\" | outputlookup test_2.csv", field="value_2", "| makeresults | eval field=\""+field+"\" | outputlookup append=t test_2.csv")</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> <row> <panel> <table> <title>$current$</title> <search> <query>| makeresults format=csv data="field value_1 value_2" | eval spl=case(field="value_1","| inputlookup test_2.csv | search NOT field=\""+field+"\" | outputlookup test_2.csv", field="value_2", "| makeresults | eval field=\""+field+"\" | outputlookup append=t test_2.csv") | eval counter=$current$ | tail $current$ | reverse</query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <condition match="$result.counter$ > 1"> <set token="spl">$result.spl$</set> <eval token="current">if($result.counter$ > 1,$result.counter$-1,null())</eval> </condition> <condition> <eval token="spl">if($result.counter$ > 0,$result.spl$,null())</eval> <unset token="current"/> </condition> </done> </search> <option name="drilldown">none</option> </table> </panel> <panel> <table> <search> <query>$spl$</query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <unset token="spl"></unset> </done> </search> <option name="drilldown">none</option> </table> </panel> </row> </form>

ITWhisperer

Another way to possibility achieve this goal, albeit slowly, is to use tokens in a Classic SimpleXML dashboard to execute a series of searches. <form version="1.1" theme="light"> <label>Token-driven repetition</label> <init> <set token="trace"/> </init> <fieldset submitButton="false"> <input type="dropdown" token="limit"> <label>Loop count</label> <choice value="0">0</choice> <default>0</default> <initialValue>0</initialValue> <fieldForLabel>count</fieldForLabel> <fieldForValue>count</fieldForValue> <search> <query>| makeresults count=5 | streamstats count</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <change> <eval token="current">if($value$>0,$value$,null())</eval> <set token="trace"/> </change> </input> </fieldset> <row> <panel> <html> $trace$ </html> </panel> </row> <row> <panel> <table> <search> <query>| makeresults | fields - _time | eval counter=$current$</query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <condition match="$result.counter$ > 0"> <eval token="trace">if($result.counter$>0,$trace$." ".$result.counter$,$trace$)</eval> <eval token="current">$result.counter$-1</eval> </condition> <condition match="$current$=0"> <unset token="current"/> </condition> </done> </search> <option name="drilldown">none</option> </table> </panel> </row> </form> The idea being that the input (in this case, but you could use a row count from your initial field list) is used to limit the number of times the "loop" is executed. The panel executes a search and reduces the counter by one. There is a panel which essentially shows a trace to show that the search has been executed. Updated due to the way the null() function now operates with respect to unsetting tokens!

ITWhisperer

Please provide more examples of the events you are dealing with, and include your desired results, and what you are getting (and why it is not correct)?

ITWhisperer

Another thing to consider with summary indexes is idempotent updates, that is, how to avoid double counting; for example, in your instance, if you created summaries for each day in your summary index, what do you do if you get events which arrive late (for whatever reason), how do you make sure they are included in the summary without double-counting the events which have already been summarised. I did a presentation on this a couple of years ago for the B-Sides program. https://github.com/bsidessplunk/2022/blob/main/Summary%20Index%20Idempotency/Bsides%20Spl22%20Summary%20Index%20Idempotency.pptx

ITWhisperer

You can have multiple "summary" indexes - perhaps one for each "primary" index and then apply RBAC to those summary indexes as well.

ITWhisperer

What would be the expected result from your sample data? 8 events and 52044 total bags or something else? | bin span=1d TIME | stats count latest("TOTAL DAILY BAGS") as TOTAL_DAILY_BAGS by TIME | stats sum(count) as total_events sum(TOTAL_DAILY_BAGS) as total_daily_bags If your TIME field is not already the date (as shown in your sample), you may need to bin it first

ITWhisperer

It is not so much the copy paste, it is the value used for All, this needs to be "All" not "*" (similarly with the initialValue) <form version="1.1" theme="light"> <label>All handling</label> <search id="base_search"> <query>| makeresults format=csv data="categories A B C" | table categories</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <fieldset submitButton="false"> <input type="multiselect" token="categories"> <label>Categories</label> <choice value="All">All</choice> <default>All</default> <initialValue>All</initialValue> <fieldForLabel>categories</fieldForLabel> <fieldForValue>categories</fieldForValue> <search base="base_search"> <query> |stats count by categories </query> </search> <valuePrefix>testCategories="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> AND </delimiter> <change> <eval token="form.categories">case(mvcount('form.categories')=0,"All",mvcount('form.categories')>1 AND mvfind('form.categories',"All")>0,"All",mvcount('form.categories')>1 AND mvfind('form.categories',"All")=0,mvfilter('form.categories'!="All"),1==1,'form.categories')</eval> <eval token="categories_choice">if('form.categories'=="All","categories=\"*\"",'categories')</eval> </change> </input> </fieldset> <row> <panel> <html> Categories: $categories_choice$ </html> </panel> </row> </form>

ITWhisperer

You don't have any specific drilldown action configured which means you will just get a basic search. If you want something more tailored, you should define a panel or other dashboard with the search that you want executed when the drilldown is triggered, and then configure the drilldown to activate this panel.

ITWhisperer

Try something like this | rex field=httpMessage.requestHeaders "User-Agent: (?<useragent>.*?)\\r\\n"

ITWhisperer

Please provide the raw event (not the formatted version e.g. {"AdditionalData": { "buildId":291,

ITWhisperer

Please provide some anonymised sample events which demonstrate the issue you are facing. Ideally, place these in a code block (using the </> formatting option).

ITWhisperer

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user experience. This article is about using tokens and handlers to control how a dashboard behaves. Modifying the "Waiting for data ..." message Starting with a simple count of events by sourcetype in the _internal index, depending on your system resources, anything above a small time period will usually produce a temporary "Waiting for data ..." message in place of the chart. <form version="1.1" theme="light"> <label>Internal counts</label> <description>Dashboard to demonstrate use of tokens and handlers</description> <fieldset submitButton="false"> <input type="time" token="period"> <label>Please select time period</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>Sourcetype counts</title> <chart> <search> <query>index=_internal | eval label="Sourcetype" | chart count by label sourcetype useother=f limit=0</query> <earliest>$period.earliest$</earliest> <latest>$period.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisTitleX.visibility">collapsed</option> <option name="charting.axisTitleY.text">Count</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisY.scale">log</option> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> </form> When a chart is displayed, particularly when the underlying search is not particularly fast, we would like to replace this with a tailored message, for example This is just a simple HTML panel which can be tailored to your needs. Now we need to control when the chart and the HTML panel are shown. The key to this is a token set in the done handler of the chart's search. To ensure that the token is undefined while the search is being executed, we can unset it in the change handler of the time selector. Now we can make it so that the chart depends on the token and the HTML rejects the same token. Since the token can either be present or not, this is enough to determine whether to display the chart or the HTML; it doesn't matter what the contents of the token are, merely that it is either set or unset. <form version="1.1" theme="light"> <label>Internal counts</label> <description>Dashboard to demonstrate use of tokens and handlers</description> <fieldset submitButton="false"> <input type="time" token="period"> <label>Please select time period</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> <change> <unset token="data"/> </change> </input> </fieldset> <row> <panel> <title>Sourcetype counts</title> <chart depends="$data$"> <search> <query>index=_internal | eval label="Sourcetype" | chart count by label sourcetype useother=f limit=0</query> <earliest>$period.earliest$</earliest> <latest>$period.latest$</latest> <sampleRatio>1</sampleRatio> <done> <set token="data"/> </done> </search> <option name="charting.axisTitleX.visibility">collapsed</option> <option name="charting.axisTitleY.text">Count</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisY.scale">log</option> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> <html rejects="$data$"> <h1><center>Please wait while your search is being executed</center></h1> </html> </panel> </row> </form> Modifying values use by Inline CSS Tokens can be used elsewhere in dashboards; for example, using Cascading Style Sheets (CSS) to change how elements are displayed. In this example, the fill colour of the text element is modified by CSS and a token is used to change the value used by the CSS; this value is defined (randomly) by the search and passed to the CSS again using the done handler. <row> <panel> <html depends="$alwaysHide$"> <style> #single text { fill: $single_text_colour$ !important; } </style> </html> <single id="single"> <search> <done> <set token="single_text_colour">$result._colour$</set> </done> <query>| makeresults count=20 | fields - _time ``` This search creates events for a random set of hosts with random Severity values (skewed towards "LOW") A count of "CRITICAL" events is taken for each host to determine whether to show the host in red or green Note that in this instance, only the host with the most events is shown in the Single viz ``` | eval Severity=mvindex(split("LOW,CRITICAL",","),random()%5%4%3%2) | eval host="host".random()%3 | stats count count(eval(Severity=="CRITICAL")) as _critical by host | sort 0 - count | eval _colour=if(_critical>0,"red","green") | eval count=host | table host count _colour</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </single> </panel> </row> The panel can be refreshed to produce different results. Controlling search execution order Tokens can also be used to control the order in which searches are executed. In this example, Table C is dependent on a token which is set in the done handler of Table B, which in turn is dependent on a token which is set in the done handler of Table A <row> <panel> <table> <title>Table A</title> <search> <query>index=_internal | eval Now=now() | eval Time=time() | stats min(Now) as Now max(Time) as Time | fieldformat Now=strftime(Now,"%F %T") | fieldformat Time=strftime(Time,"%F %T")</query> <earliest>-30d@d</earliest> <latest>now</latest> <progress> <unset token="time_a"/> <unset token="time_b"/> </progress> <done> <set token="time_a">$result.Now$</set> </done> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel> <table> <title>Table B</title> <search> <query>index=_internal | eval A_Time="$time_a$" | eval Now=now() | eval Time=time() | stats min(Now) as Now max(Time) as Time | fieldformat Now=strftime(Now,"%F %T") | fieldformat Time=strftime(Time,"%F %T")</query> <earliest>-30d@d</earliest> <latest>now</latest> <progress> <unset token="time_b"/> </progress> <done> <set token="time_b">$result.Now$</set> </done> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel> <table> <title>Table C</title> <search> <query>index=_internal | eval B_Time="$time_b$" | eval Now=now() | eval Time=time() | stats min(Now) as Now max(Time) as Time | fieldformat Now=strftime(Now,"%F %T") | fieldformat Time=strftime(Time,"%F %T")</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> For example, Table B refreshes when Table A search completes, and Table C refreshes when Table B search completes. Refreshing Table B does not affect Table A, but Table C will also refresh when Table B's search completes. You can see that the Time field in Table B is the same as the Now field in Table C. The now() function effectively returns the time when the search query is parsed (at the beginning) and the time() function effectively returns the time when the eval statement is executed. Further information For further information about other dashboarding techniques, please see my Community Blog series on extending the Buttercup games tutorial Search "dashboard" "In Community Blog" "by ITWhisperer"

ITWhisperer

What is it you are trying to achieve? Tables normally have headers, if you want them, don't try to use CSS to change them, unless there is a specific reason to do so, e.g. to modify their appearance in some way.

ITWhisperer

Why are you modifying it in the first place? Try not changing the style of the thead?

ITWhisperer

The display attribute is still none, therefore the element will not be displayed.

ITWhisperer

If a token is not set, the dashboard will wait until the token is set before proceeding to evaluate the search. What is your usecase? Perhaps there may be a better way to approach this?

ITWhisperer

You have used this CSS styling which is hiding your table headers thead { visibility: hidden; display: none; /* Optional, but can be more effective */ }

ITWhisperer

Please share the source for your dashboard panel

ITWhisperer

Try (temporarily) adding a new panel to see what your users are getting back from the saved search and whether there are any errors <row> <panel> <title>Operational times</title> <table> <search> <query>| savedsearch set_operational_hours</query> <earliest>0</earliest> <latest>now</latest> </search> </table> </panel> </row> Moving the search may not help if the users' role does not allow them to successfully execute the savedsearch. Please check the permissions (as I said earlier).

ITWhisperer

Removing the depends will make the time selector input visible, but it still won't work because the change handler uses the operational_start_time token (which as we know is currently available for all users).

ITWhisperer

Studio is still limited in the finer aspects of dashboard control and visualisation. Best practice (in my opinion) at the moment is to stick with Classic Simple XML, especially if you already have a working dashboard on-prem, just copy (the source) to Cloud.

ITWhisperer

Very sparse information here - please share some anonymised sample events, preferably in a code block (using the </> edit option. Please share what you have already tried. Where your events have been ingested to. What your current results are, etc. Contributors are pretty talented here but mind-reading is a rare capability!

Posts	11337
Solutions	2295
Karma Given	72
Karma Received	3385
Member Since	‎2020-08-18

Dashboards: Hiding charts while search is being ex...

Buttercup Games: Further Dashboarding Techniques (...

Buttercup Games: Further Dashboarding Techniques (...

Buttercup Games: Further Dashboarding Techniques (...

Buttercup Games: Further Dashboarding Techniques (...

Buttercup Games: Further Dashboarding Techniques (...

Buttercup Games: Further Dashboarding Techniques (...

Buttercup Games: Further Dashboarding Techniques (...

Buttercup Games: Further Dashboarding Techniques (...

Buttercup Games: Further Dashboarding Techniques

Re: Indexing the results of a search

Re: Indexing the results of a search

Re: View results email link leads to 404 Not Found

Re: How to create field values as SPL for generati...

Re: How to create field values as SPL for generati...

Re: SUM & COUNT from a lookup table

Re: Summary index or any other alternative which a...

Re: Summary index or any other alternative which a...

Re: SUM & COUNT from a lookup table

Re: multiselect with AND

Re: expand field values in single event

Re: Extraction of a field inside Json data

Re: Json formatting in dashboard studio

Re: Json formatting in dashboard studio

Dashboards: Hiding charts while search is being ex...

Re: Table headers not visible

Re: Table headers not visible

Re: Table headers not visible

Re: What's the value of a token if is not set in a...

Re: Table headers not visible

Re: Table headers not visible

Re: Issue with time selector

Re: Issue with time selector

Re: Assistance with HTML/CSS/JS Support and Featur...

Re: Need help with Basic query over splunk

Are you a member of the Splunk Community?