hi, I am trying to populate my drop-down list with a search result of a minute.
My main search is : version error* | table date_year,date_month,date_mday,date_minute,date_second ,version,host,error,source | mvexpand error| rename date_year as year| sort day,minute,second |fillnull value="not defined" year,version,error*
i am retriving the minutes by using - | stats count by date_minute
the search retuns table data but no data returned in the drop down list
I try to attache xml but there is some issues in the editor so i converted to json
{
"form": {
"label": "Dashboard test",
"search": {
"query": "version* error* | table date_year,date_month,date_mday,date_minute,date_second ,version,host,error,source | mvexpand error| rename date_year as year| sort day,minute,second |fillnull value=\"not defined\" year,version,error",
"id": "base_search"
},
"fieldset": {
"input": {
"search": {
"query": "| stats count by date_minute",
"_base": "base_search"
},
"fieldForLabel": "date_minute",
"fieldForValue": "date_minute",
"_type": "dropdown",
"_token": "date_minute",
"_searchWhenChanged": "true"
},
"_submitButton": "false"
},
"row": {
"panel": {
"table": {
"title": "Minute",
"search": {
"query": "version error* | table date_year,date_month,date_mday,date_minute,date_second ,version,host,error,source | mvexpand error| rename date_year as year| sort day,minute,second |fillnull value=\"not defined\" year,version,error| stats count by date_minute",
"earliest": "0",
"latest": ""
},
"option": [
{
"_name": "wrap",
"text": "true"
},
{
"_name": "rowNumbers",
"text": "false"
},
{
"_name": "drilldown",
"text": "cell"
},
{
"_name": "dataOverlayMode",
"text": "none"
},
{
"_name": "count",
"_text": "10"
}
]
}
}
}
}
}
can you post another screenshot of it as it should help me see what you need to do next
hi, I am uploading the additional screenshot by using the post answer window, in the response window not allowing to post screenshots 😞
hi just please note in this video tutorial https://www.youtube.com/watch?v=cdWXKBzPZ78 used base search that probably does so inheritance I tried to follow the same flow but it was unsuccessfully.
Hi @mb_30
Looks like you havent used the search token to be defined against anything. I think even though your token name is date_minute it doesnt understand its that specific data set to pull through. You would need to define this in the dropdown
If you open the dashboard in edit mode and try adding the below into your source data (hopefully this should be close based on the version of splunk you are using)
<input type="dropdown" token="date_minute" searchWhenChanged="true">
<label>Dashboard Test</label>
<choice value="*">ALL</choice>
<prefix>date_minute="</prefix>
<suffix>"</suffix>
<fieldForLabel>date_minute</fieldForLabel>
<fieldForValue>date_minute</fieldForValue>
<search>
<query>version error* | table date_year,date_month,date_mday,date_minute,date_second ,version,host,error,source | mvexpand error| rename date_year as year| sort day,minute,second |fillnull value=\"not defined\" year,version,error | table date_minute</query>
<earliest>@m</earliest>
<latest>now</latest>
</search>
<default>*</default>
<initialValue>*</initialValue>
</input>
if its not matching then it must be picking up a different search.
Can you provide the search string for the table it relates to called error table?
hi,
this search I use in the drop-list:
version error* | table date_year,date_month,date_mday,date_minute,date_second ,version,host,error,source | mvexpand error| rename date_year as year , date_month as month ,date_mday as day ,date_hour as hour,date_minute as minute ,date_second as second| sort day,minute,second |fillnull value=\"not_defined\" year,version,error | stats count by minute
and this one i use in the statistic table:
version error* | table date_year,date_month,date_mday,date_hour,date_minute,date_second ,version,host,error,source | rename date_year as year , date_month as month ,date_mday as day ,date_hour as hour,date_minute as minute ,date_second as second| sort year ,day,hour,minute,second |fillnull value="not defined" year,version,error
the time range is 24 hours for all of my searches
You need to make sure both searches correlate with each other so its pulling through exactly the same minutes as the other. Try the below in the dropdown search and this should produce the matching minutes that you see in your statistic table as long as the timeframe in the dropdown is the same or greater than the statistics table.
version error* | table date_year,date_month,date_mday,date_hour,date_minute,date_second ,version,host,error,source | rename date_year as year , date_month as month ,date_mday as day ,date_hour as hour,date_minute as minute ,date_second as second| sort year ,day,hour,minute,second |fillnull value="not defined" year,version,error | stats count by minute
I would actually recommend you increase your timeframe in your dropdown list just so it pulls through as as much info as possible as then if you create other statistic tables that has a arger date range you could use it for that also.
Let me know if this works
hi,
it's working but I need to see in the static table all the data if I use the same search I only see the count of the minute.
I based my search on this tutorial: https://www.youtube.com/watch?v=cdWXKBzPZ78
my final goal is to use the same options that were presented in this tutorial.
I had a quick look at the video and can see ohw he has attached all the dropdowns to the charts so it looks like your practically there
When you say you only see the count of the minute, do you mean all other data disappears in the statistics table and only shows the count of the minute?
Exactly -->"do you mean all other data disappears in the statistics table and only shows the count of the minute? "
If you use the search string in the token options do any search results come back?
You could try one of the below if it doesnt and use this as the search string
version error* | table date_year,date_month,date_mday,date_minute,date_second ,version,host,error,source | mvexpand error| rename date_year as year| sort day,minute,second |fillnull value=\"not defined\" year,version,error | stats count by date_minute
or try this
version error* | table date_year,date_month,date_mday,date_minute,date_second ,version,host,error,source | mvexpand error| rename date_year as year| sort day,minute,second |fillnull value=\"not defined\" year,version,error | stats count by minute
If you could post the source code for that token to have a look as well to see what has changed
hi, thanks I added the search to the drop-down list and it worked but the result of the drop-down list does not match to the result of the statistic table.
Just had another thought. It may be to do with the time frame is not set far enough back.
when you go into edit mode and click on the pencil to edit the dropdown. Underneath the search string is the time field. Make sure this is set far enough back so it can pick up all the minutes that have been available in the past so you can use it to parse into your search.
Maybe use the default range of 'year to date' so it picks up everything this year
Hi @mb_30
Can you provide a screenshot so i can have a look further?