Solved: Can someone please help me to understand what is w...

aasiaa · ‎05-09-2023

Hi,

I am creating the dashboard, where for couple of panels I will use similar query so I saved shared bit as base query. However I have 2 different indexes (environments) so I also created input to choose appropriate index for the base search. However it looks like it picks up just prod, and not returning results for ppe.

Can someone please help me to understand what is wrong with my code?

	"dataSources": {
		"ds_baseSearch": {
			"type": "ds.search",
			"options": {
				"query": "index=\"$env$\" sourcetype=some_sourcetype risk=*\n| spath risk\n| rename risk AS risk\n| eval riskCategory = if(risk <= 1.0, \"low\", if(risk<= 2.0, \"moderate\", \"high\"))\n| stats count(eval(riskCategory==\"low\")) as low, count(eval(riskCategory==\"moderate\")) as moderate, count(eval(riskCategory==\"high\")) as high, count as total\n    ",
				"queryParameters": {
					"earliest": "$time.earliest$",
					"latest": "$time.latest$"
				},
				"enableSmartSources": true
			},
			"name": "base_search"
		},
		"ds_search_2": {
			"type": "ds.chain",
			"options": {
				"query": "| stats sum(total) as Total ",
				"extend": "ds_baseSearch"
			},
			"name": "_total"
		},
	"defaults": {
		"dataSources": {
			"ds.search": {
				"options": {
					"queryParameters": {}
				}
			}
		}
	},
	"inputs": {
		"input_2": {
			"type": "input.timerange",
			"title": "Time period",
			"options": {
				"token": "time",
				"defaultValue": "-60m@m,now"
			}
		},
		"input_hw3xXSsR": {
			"options": {
				"items": [
					{
						"label": "prod",
						"value": "_prod"
					},
					{
						"label": "ppe",
						"value": "_ppe"
					}
				],
				"token": "evn",
				"defaultValue": "_prod"
			},
			"title": "Environment",
			"type": "input.dropdown",
			"dataSources": {}
		}
	},

VatsalJagani · ‎05-10-2023

@aasiaa - You can just open your search in open in search to see if the query is reflecting the index correctly or not.

Also, please try to grep for the word prod in the dashboards' source-code to confirm.

View solution in original post

VatsalJagani · ‎05-09-2023

@aasiaa - two questions:

Do you mean it gives results for prod, even when you select ppe from the dropdown?
Have you created the index with _prod and _ppe names?

aasiaa · ‎05-09-2023

@VatsalJagani , yes, exactly that. So it returns results just for prod and my indexes are index=_prod for prod and index=_ppe for ppe;

I have created base search for prod only to start with but then replaced index with 'env' token once I added dropdown. I thought that maybe I have _prod index left somewhere else in the code, but I do not.

Also for ppe when I run my query in separate splunk search results are 0, but I do not think that matters, it should just return 0 on the dashboard.

VatsalJagani · ‎05-10-2023

@aasiaa - You can just open your search in open in search to see if the query is reflecting the index correctly or not.

Also, please try to grep for the word prod in the dashboards' source-code to confirm.

Can someone please help me to understand what is wrong with my code?

Dashboard Studio

token

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms