topic Re: Why am I unable to add my search to a dashboard panel? in Splunk Search

Why am I unable to add my search to a dashboard panel?

jagadeeshm — Thu, 26 Jan 2017 02:23:59 GMT

I am using the following search to get all indexes and sourcetypes. But I am unable to add the search to a dashboard panel. XML seems to escape the text correctly but doesn't bring back any results.

| eventcount summarize=false index=* index!=_* | dedup index | fields index 
     | map maxsearches=100 search="| metadata type=sourcetypes index=\"$index$\" | eval retention=tostring(abs(lastTime-firstTime), \"duration\") | convert ctime(firstTime) ctime(lastTime) | sort lastTime | rename totalCount AS \"TotalEvents\" firstTime AS \"FirstEvent\" lastTime AS \"LastEvent\" | eval index=\"$index$\"" | rename index as "Index" "sourcetype" as "SourceType" | fields Index  SourceType TotalEvents FirstEvent LastEvent

Re: Why am I unable to add my search to a dashboard panel?

bmo017 — Thu, 26 Jan 2017 03:16:00 GMT

Hello,

I am unsure of how to add the correct FirstEvent and LastEvent time in, but for the search in which you are looking for, I would use a tstats command similar to below to return the desired results.

To group every sourcetype by its index use the search below:

 | tstats count WHERE index=* by index sourcetype

To group the sourcetypes by index use the below search:

 | tstats count values(sourcetype) WHERE index=* by index

With this search it should populate your dashboard without a problem. You would just have to further investigate adding the first and last event times.

Re: Why am I unable to add my search to a dashboard panel?

cmerriman — Thu, 26 Jan 2017 12:44:27 GMT

Do you have the input created correctly? I added this to a dashboard panel exactly as written and added in an input for index and it seems to work just fine.

Re: Why am I unable to add my search to a dashboard panel?

jagadeeshm — Thu, 26 Jan 2017 13:53:58 GMT

Oh, I see the data after adding the input. But do I get to display it all indexes and sourcetypes

Re: Why am I unable to add my search to a dashboard panel?

jagadeeshm — Thu, 26 Jan 2017 13:56:30 GMT

The only problem is tstats command is timebound. In order to look for all indexes and sourcetypes, I have select "All Time" which is taking lot of time to return the results.

Re: Why am I unable to add my search to a dashboard panel?

cmerriman — Thu, 26 Jan 2017 14:11:11 GMT

it's seeing the | metadata type=sourcetypes index=\"$index$\" and | eval index=\"$index$\"" as a token. Just add an input and just have it always set to * if wanted.

Re: Why am I unable to add my search to a dashboard panel?

jagadeeshm — Thu, 26 Jan 2017 14:13:35 GMT

I am unable to set it to "*"

Re: Why am I unable to add my search to a dashboard panel?

cmerriman — Thu, 26 Jan 2017 14:18:48 GMT

try this:

<form>
  <label>test2</label>
  <fieldset submitButton="false">
    <input type="radio" token="index">
      <label>index</label>
      <choice value="\&quot;$index$\&quot;">all</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| eventcount summarize=false index=* index!=_* | dedup index | fields index 
      | map maxsearches=100 search="| metadata type=sourcetypes index=\"$index$\" | eval retention=tostring(abs(lastTime-firstTime), \"duration\") | convert ctime(firstTime) ctime(lastTime) | sort lastTime | rename totalCount AS \"TotalEvents\" firstTime AS \"FirstEvent\" lastTime AS \"LastEvent\" | eval index=\"$index$\"" | rename index as "Index" "sourcetype" as "SourceType" | fields Index  SourceType TotalEvents FirstEvent LastEvent</query>
          <earliest>-3d@d</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Re: Why am I unable to add my search to a dashboard panel?

jagadeeshm — Thu, 26 Jan 2017 14:23:37 GMT

With this query, is it possible to filter on both indexes and sourcetypes? So the above query lists all indexes and sourcetype....I have those in hundreds.

Re: Why am I unable to add my search to a dashboard panel?

cmerriman — Thu, 26 Jan 2017 14:35:01 GMT

you could change/add to the input to filter, I believe.

Re: Why am I unable to add my search to a dashboard panel?

jagadeeshm — Fri, 27 Jan 2017 01:42:23 GMT

I opened up a separate question for my filters. Thanks!

Re: Why am I unable to add my search to a dashboard panel?

jagadeeshm — Fri, 27 Jan 2017 03:02:08 GMT

How I hide the input?

Re: Why am I unable to add my search to a dashboard panel?

cmerriman — Fri, 27 Jan 2017 12:48:59 GMT

add this to the form statement

<form hideFilters="true">