All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Microsoft Azure Billing Add-on: How do I convert a field to a token that I can use In the dashboard checkbox input search?

Kendo213
Communicator
‎09-20-2018 11:14 AM

My goal is the following:

  • I have "billing periods" coming in from the Azure billing Add-on
  • I'm converting the billing period value to epoch in the dashboard checkbox input search
  • I want the user to select a billing period and for that to determine the length in which the base search goes back
  • I am wanting to use this field (epoch value) to specify the "earliest" time of the base search in the dashboard

How can I go about doing this? This is what I have so far, and it's a mess, as I've tested multiple things, but hopefully it will give some context for what I'm trying to do. I'm missing some step on how to convert the evaluated field to a token that I can use in the base search. 

<form>
  <label>Azure Billing</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="billingperiodselected" searchWhenChanged="true">
      <label>Billing Period</label>
      <fieldForLabel>billingperiod</fieldForLabel>
      <fieldForValue>billingperiod</fieldForValue>
      <search>
        <query>index=test sourcetype=azure:billing | rex field=properties.billingPeriodId (?:\/subscriptions\/mysubid\/providers\/Microsoft\.Billing\/billingPeriods\/)(?<billingperiod>\d+) | rex field=billingperiod (?<year>\d{4})(?<month>\d{2})(?<day>\d{2}) | eval earliestdate=month."/".day."/".year." 00:00:00" | eval earliestdate = strptime('earliestdate', "%m/%d/%Y %H:%M:%S") | stats count by billingperiod,earliestdate | fields *</query>
      </search>
    </input>
  </fieldset>
    <search id="basebillingsearch" depends="$earliestdate$">
  <query>index=test sourcetype=azure:billing | fields *</query>
  <earliest>$earliestdate$</earliest>
  <latest>now</latest>
  </search>
   <row>
    <panel>
      <chart>
        <title>Test</title>
        <search base="basebillingsearch">
          <query>| timechart sum("properties.pretaxCost") span=1d</query>
          </search>
        <option name="charting.chart">line</option>
      </chart>
    </panel>
    </row>
</form>
0 Karma
Reply

Kendo213
Communicator
‎09-20-2018 11:53 AM

I believe I resolved this by adding a field in the search that is evaluating the time in epoch. I set a token in the field and I can pass that to the base search.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...