topic Re: how to link search query from Dashboard to search tab which is having variables in Splunk Search

how to link search query from Dashboard to search tab which is having variables

rkishoreqa — Wed, 23 Dec 2020 18:27:49 GMT

I build a query to fetch the long running jobs in Dashboard like as below. Here the $Time$ is a token which was selected from dropdown menu in that panel.

In dashboard it is showing some numbers (3 long running jobs). But when I clicked on that number it is going to the search tab with below query and not fetching any results.

But when I change the 'eval LB=5*60 | eval UB=5+1*60' to 'eval LB=300 | eval UB=360' it is fetching the results.
Here I am confused, is this right approach or not. Can anyone suggest me on this.

Re: how to link search query from Dashboard to search tab which is having variables

scelikok — Wed, 23 Dec 2020 19:31:39 GMT

Hi @rkishoreqa, $Time$ token is processed as string, that is UB and LB fields become string.

Please try as below;

| rex field=_raw "ApplicationName:\s+\[(?P<Applname>.*)];" |rex field=_raw "jobId: (?<jId>\w+);" | stats earliest(_time) as start latest(_time) as end by jId,sourcetype | eval diff=end-start |eval LB=tonumber($Time$)*60 | eval UB=tonumber($Time$)+1*60 | stats count(eval((diff> LB) AND (diff<UP))) as count

If this reply helps you an upvote is appreciated.

Re: how to link search query from Dashboard to search tab which is having variables

rkishoreqa — Thu, 24 Dec 2020 09:09:17 GMT

Thanks Scelikok
it is working but I changed little bit - tonumber($Time$+1)*60