Coder Social home page Coder Social logo

public's People

Contributors

dpaper-splunk avatar meznak avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

gkollias-chwy glowdb milanpo wzr validmuse nikhila88 chrisbalmer jfelle-tenable dmarlingsplunk lid2 mebuis augwyl rgalloway3 neusse bk-byte ra185199 alivanroy oussamaazeddine ashokthangaraj dimarra jeffland-consist meznak

public's Issues

Confusing wording in ESR Search Duration section

public/dashboards/extended_search_reporting.xml

Lines 269 to 355 in 7fba9e5

<h3>Search Duration</h3>
<p/>
Description: The duration panels help visualize where search load is coming from. Left panel is a explicit breakdown of number of searches and duration between beginning and end. Right panel is similar, but buckets the searches into groups.
<p/>
Actions to take: Review how often searches are scheduled to run - do all the searches running every 1, 5, 10 or 15 minutes need to run as frequently? Consider enabling the scheduler window for searches so that Splunk can adjust their execution timing to spread the load out. Assistance can be found on <a href="http://docs.splunk.com/Documentation/Splunk/latest/Report/Schedulereports">http://docs.splunk.com/Documentation/Splunk/latest/Report/Schedulereports</a>. For frequently run searches, ensure that they are as fast as possible with each search being as specific as possible before the first pipe, including index sourcetype host or other values whenever possible.
<p/>
Time frame: Trending over the past 60 minutes.
</html>
</panel>
</row>
<row>
<panel>
<title>Duration #1</title>
<table>
<search id="exact_duration">
<query>index=_audit info=completed sourcetype=audittrail source=audittrail action=search
| eval search_span=round(search_lt-search_et)
| eval search_span=tostring(abs(search_span), "duration")
| top limit=12 search_span
| rename count AS "Count", percent AS "Percent", search_span AS "Search Span (clickable)"
| table "Search Span (clickable)", "Count", "Percent"</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
<progress>
<eval token="exactdur_duration">tostring(round(tonumber($job.runDuration$),2),"duration")</eval>
</progress>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<link target="_blank">search?q=index=_audit info=completed sourcetype=audittrail source=audittrail action=search
| eval search_span=round(search_lt-search_et)
| eval search_span=tostring(abs(search_span), "duration")
| search search_span="$click.value2$"
| stats count by savedsearch_name
| table savedsearch_name count
| rename savedsearch_name AS "Saved search name", count as Count&amp;earliest=-60m@m&amp;latest=now</link>
</drilldown>
</table>
<html>
<h3>Panel Execution Duration</h3>
<div class="custom-result-value">$exactdur_duration$</div>
</html>
</panel>
<panel>
<title>Duration #2</title>
<table>
<search id="bucketed_duration">
<query>index=_audit sourcetype=audittrail source=audittrail TERM(action=search) ( TERM(info=completed) OR ( TERM(info=granted) apiStartTime "search='search")) NOT "search_id='rsa_*"
| eval u=case( searchmatch("user=splunk-system-user OR user=nobody OR search_id=*scheduler_*"), "Scheduler", searchmatch(("search_id='1*")), "AdHocUser", 1=1, "AdHocSaved")
| eval search_id=md5(search_id), search_et=if(search_et="N/A", 0, search_et), search_lt=if(search_lt="N/A", exec_time, search_lt), et_diff=case(exec_time&gt;search_et, (exec_time-search_et)/60, 1=1, (search_lt-search_et)/60), searchStrLen=len(search)
| stats partitions=10 sum(searchStrLen) AS searchStrLen, count, first(et_diff) AS et_diff, first(u) as u, values(search) AS search BY search_id
| search searchStrLen&gt;0 et_diff=* count&gt;1
| eval Et_range=case(et_diff&lt;=0, "WTF", et_diff&lt;2, "0_1m", et_diff&lt;6, "1_5m", et_diff&lt;11, "2_10m", et_diff&lt;16, "3_15m", et_diff&lt;=65, "4_60m", et_diff&lt;=4*60+10, "5_4h", et_diff&lt;=24*60+10, "6_24h", et_diff&lt;=7*24*60+10, "7_7d", et_diff&lt;=30*24*60+10, "8_30d", et_diff&lt;=90*24*60+10, "9_90d", 1=1, "10_&gt;90d")
| chart count by Et_range, u
| eval Total=AdHocUser + AdHocSaved + Scheduler
| eventstats sum(AdHocUser) AS uTotal sum(AdHocSaved) AS aTotal, sum(Scheduler) AS sTotal, sum(Total) AS tTotal
| eval AdHocUserPerc=round((AdHocUser*100)/uTotal,3), AdHocSavedPerc=round((AdHocSaved*100)/aTotal,3), SchedulerPerc=round((Scheduler*100)/sTotal, 3), TotalPerc=round((Total*100)/tTotal, 3)
| addcoltotals
| eval Et_range=if(isnull(Et_range), "8_Total", Et_range)
| fields - aTotal sTotal tTotal, uTotal
| rex mode=sed field=Et_range "s/\d+_(.*)/\1/g"
| accum TotalPerc AS TotalPercCumulative
| eval TotalPercCumulative=if(TotalPercCumulative&lt;101, round(TotalPercCumulative, 1), "")
| rename Et_range AS "Search Span"</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
<progress>
<eval token="bucketeddur_duration">tostring(round(tonumber($job.runDuration$),2),"duration")</eval>
</progress>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>

Problem: The term duration is already used on this dashboard (and elsewhere in the industry) to refer to a search's run time, but this section is measuring the time period searched. Generally, the term span is used for this, including elsewhere on this dashboard. This wording choice has caused confusion in nearly every customer-facing health check I've performed.

Proposed solution: Reword this section to refer to a search's span, rather than duration.

Note: If accepted, I'm happy to do this work.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.