Hi,
I am creating the dashboard, where for couple of panels I will use similar query so I saved shared bit as base query. However I have 2 different indexes (environments) so I also created input to choose appropriate index for the base search. However it looks like it picks up just prod, and not returning results for ppe.
Can someone please help me to understand what is wrong with my code?
"dataSources": {
"ds_baseSearch": {
"type": "ds.search",
"options": {
"query": "index=\"$env$\" sourcetype=some_sourcetype risk=*\n| spath risk\n| rename risk AS risk\n| eval riskCategory = if(risk <= 1.0, \"low\", if(risk<= 2.0, \"moderate\", \"high\"))\n| stats count(eval(riskCategory==\"low\")) as low, count(eval(riskCategory==\"moderate\")) as moderate, count(eval(riskCategory==\"high\")) as high, count as total\n ",
"queryParameters": {
"earliest": "$time.earliest$",
"latest": "$time.latest$"
},
"enableSmartSources": true
},
"name": "base_search"
},
"ds_search_2": {
"type": "ds.chain",
"options": {
"query": "| stats sum(total) as Total ",
"extend": "ds_baseSearch"
},
"name": "_total"
},
"defaults": {
"dataSources": {
"ds.search": {
"options": {
"queryParameters": {}
}
}
}
},
"inputs": {
"input_2": {
"type": "input.timerange",
"title": "Time period",
"options": {
"token": "time",
"defaultValue": "-60m@m,now"
}
},
"input_hw3xXSsR": {
"options": {
"items": [
{
"label": "prod",
"value": "_prod"
},
{
"label": "ppe",
"value": "_ppe"
}
],
"token": "evn",
"defaultValue": "_prod"
},
"title": "Environment",
"type": "input.dropdown",
"dataSources": {}
}
},
@aasiaa - You can just open your search in open in search to see if the query is reflecting the index correctly or not.
Also, please try to grep for the word prod in the dashboards' source-code to confirm.
@aasiaa - two questions:
@VatsalJagani , yes, exactly that. So it returns results just for prod and my indexes are index=_prod for prod and index=_ppe for ppe;
I have created base search for prod only to start with but then replaced index with 'env' token once I added dropdown. I thought that maybe I have _prod index left somewhere else in the code, but I do not.
Also for ppe when I run my query in separate splunk search results are 0, but I do not think that matters, it should just return 0 on the dashboard.
@aasiaa - You can just open your search in open in search to see if the query is reflecting the index correctly or not.
Also, please try to grep for the word prod in the dashboards' source-code to confirm.