Dashboards & Visualizations

Can someone please help me to understand what is wrong with my code?

aasiaa
Path Finder

Hi, 

I am creating the dashboard, where for couple of panels I will use similar query so I saved shared bit as base query. However I have 2 different indexes (environments) so I also created input to choose appropriate index for the base search. However it looks like it picks up just prod, and not returning results for ppe.

Can someone please help me to understand what is wrong with my code?

 

 

	"dataSources": {
		"ds_baseSearch": {
			"type": "ds.search",
			"options": {
				"query": "index=\"$env$\" sourcetype=some_sourcetype risk=*\n| spath risk\n| rename risk AS risk\n| eval riskCategory = if(risk <= 1.0, \"low\", if(risk<= 2.0, \"moderate\", \"high\"))\n| stats count(eval(riskCategory==\"low\")) as low, count(eval(riskCategory==\"moderate\")) as moderate, count(eval(riskCategory==\"high\")) as high, count as total\n    ",
				"queryParameters": {
					"earliest": "$time.earliest$",
					"latest": "$time.latest$"
				},
				"enableSmartSources": true
			},
			"name": "base_search"
		},
		"ds_search_2": {
			"type": "ds.chain",
			"options": {
				"query": "| stats sum(total) as Total ",
				"extend": "ds_baseSearch"
			},
			"name": "_total"
		},
	"defaults": {
		"dataSources": {
			"ds.search": {
				"options": {
					"queryParameters": {}
				}
			}
		}
	},
	"inputs": {
		"input_2": {
			"type": "input.timerange",
			"title": "Time period",
			"options": {
				"token": "time",
				"defaultValue": "-60m@m,now"
			}
		},
		"input_hw3xXSsR": {
			"options": {
				"items": [
					{
						"label": "prod",
						"value": "_prod"
					},
					{
						"label": "ppe",
						"value": "_ppe"
					}
				],
				"token": "evn",
				"defaultValue": "_prod"
			},
			"title": "Environment",
			"type": "input.dropdown",
			"dataSources": {}
		}
	},

 

 

 

Labels (2)
0 Karma
1 Solution

VatsalJagani
SplunkTrust
SplunkTrust

@aasiaa - You can just open your search in open in search to see if the query is reflecting the index correctly or not.

Also, please try to grep for the word prod in the dashboards' source-code to confirm.

View solution in original post

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@aasiaa - two questions:

  • Do you mean it gives results for prod, even when you select ppe from the dropdown?
  • Have you created the index with _prod and _ppe names?

 

0 Karma

aasiaa
Path Finder

@VatsalJagani , yes, exactly that. So it returns results just for prod and my indexes are index=_prod for prod and index=_ppe for ppe;

I have created base search for prod only to start with but then replaced index with 'env' token once I added dropdown. I thought that maybe I have _prod index left somewhere else in the code, but I do not. 

Also for ppe when I run my query in separate splunk search results are 0, but I do not think that matters, it should just return 0 on the dashboard.

 

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@aasiaa - You can just open your search in open in search to see if the query is reflecting the index correctly or not.

Also, please try to grep for the word prod in the dashboards' source-code to confirm.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...