Dashboards & Visualizations

Create filter with month names in the dashboard

antonio147
Communicator

Hi all,
i created a report, now i need to create a dashboard that takes data from this report with loadjob savedsearch.
the report has as the name of the fields 1_month_previous, 2_month_previous, ......(I could not rename the names of the months in the command stats sum (DIM) as 1_month_previous, I also followed a post here in the community)
I would like to create a filter in the dashboard with the names of the months instead of the previous_month.
I tried with this code:
<query> | makeresults
| eval MPR0 = strftime (relative_time (now (), "-0month @ month"), "% B")
| eval MPR1 = strftime (relative_time (now (), "-1month @ month"), "% B")
| eval MPR2 = strftime (relative_time (now (), "-2month @ month"), "% B")
| eval MPR3 = strftime (relative_time (now (), "-3month @ month"), "% B")
| eval MPR4 = strftime (relative_time (now (), "-4month @ month"), "% B")
| eval MPR5 = strftime (relative_time (now (), "-5month @ month"), "% B")
| eval MPR6 = strftime (relative_time (now (), "-6month @ month"), "% B")
| eval MPR7 = strftime (relative_time (now (), "-7month @ month"), "% B")
| eval MPR8 = strftime (relative_time (now (), "-8month @ month"), "% B")
| eval MPR9 = strftime (relative_time (now (), "-9month @ month"), "% B")
| eval MPR10 = strftime (relative_time (now (), "-10month @ month"), "% B")
| eval MPR11 = strftime (relative_time (now (), "-11month @ month"), "% B")

| eval MONTH = mvappend (MPR0, MPR1, MPR2, MPR3, MPR4, MPR5, MPR6, MPR7, MPR8, MPR9, MPR10, MPR11)
| table MONTH </query>
but in Dinamic Option -> Search String by inserting this code, it returns me the names of the months separated by commas, all on a single row and not in a column to let me choose the month I need.
Do you have any suggestions?

I have tried mv append, split, delim, etc .. to no avail.
I ask for help from you Splunk gurus.
Tks
BR
Antonio

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Here's a way that works  in SimpleXML - hopefully you can translate to Dashboard Studio

    <input type="dropdown" token="previousmonth">
      <label>Past 12 months</label>
      <search>
        <query>| makeresults
| eval month=mvrange(1, 13)
| mvexpand month
| eval month=0-month
| eval _time=relative_time(_time,month."mon@mon")
| eval month=strftime(_time,"%B")
| table month</query>
      </search>
      <fieldForLabel>month</fieldForLabel>
      <fieldForValue>month</fieldForValue>
    </input>

View solution in original post

antonio147
Communicator

Hi ITWhisperer,
thanks for the quick response.
I tried your code and it works.
I found another suggestion from you regarding this request that worked just the same.
Now, however, I would like the current month (now: November) to be in first place and the previous month immediately below, and so on .....
Also since I have the 1_month_previous field in the original report I have to take those values in that field.
I thought about transforming the name of the month into its value and adding the _precedent_month suffix so as to have the field written.
Do you think it is the optimal solution or is there something better? 🙂
In any case, thanks for your invaluable help and suggestion.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
    <input type="dropdown" token="previousmonth">
      <label>Past 12 months</label>
      <search>
        <query>| makeresults
| eval mon=mvrange(1, 13)
| mvexpand mon
| eval mon=mon-1
| eval month=if(mon>0,(0-mon)."mon","")
| eval fieldname=if(mon>0,mon."_month_previous","now")
| eval _time=relative_time(_time,month."@mon")
| eval month=strftime(_time,"%B")
| table month fieldname</query>
      </search>
      <fieldForLabel>month</fieldForLabel>
      <fieldForValue>fieldname</fieldForValue>
    </input>

antonio147
Communicator

IT Whisperer, you are great !!!!
Thank you so much, in 2 minutes you solved a problem that I had not been able to overcome for days.
You're great !!!
Tks

 

ITWhisperer
SplunkTrust
SplunkTrust

Here's a way that works  in SimpleXML - hopefully you can translate to Dashboard Studio

    <input type="dropdown" token="previousmonth">
      <label>Past 12 months</label>
      <search>
        <query>| makeresults
| eval month=mvrange(1, 13)
| mvexpand month
| eval month=0-month
| eval _time=relative_time(_time,month."mon@mon")
| eval month=strftime(_time,"%B")
| table month</query>
      </search>
      <fieldForLabel>month</fieldForLabel>
      <fieldForValue>month</fieldForValue>
    </input>
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...