Dashboards & Visualizations

Dashboard Studio - Search Result as Token

madhav_dholakia
Contributor
Hello,
 
I am creating a dashboard with below searches to customize number of data points and time span displayed (using timechart) when different timerange is selected.
 
Search 1 - Chart Span: based on, custom timerange token, this returns span period and top values to be used in Search 3, given below.
 
 

 

| makeresults
| eval spantime=case($timerange|s$="| where calldate>=relative_time(now(),\"@mon\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"@d\") AND calldate<relative_time(now(),\"@m\")","1h",$timerange|s$="| where calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"-7d@d\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"-24h@h\") AND calldate<relative_time(now(),\"@h\")","1h",true(),"1d")
| eval startOfMonth=relative_time(now(),"@mon")
| eval noOfDays=round((now()-startOfMonth)/86400)
| eval startOfDay=relative_time(now(),"@d")
| eval noOfHours=round((now()-startOfDay)/3600-1)
| eval topvalues=case($timerange|s$="| where calldate>=relative_time(now(),\"@mon\") AND calldate<relative_time(now(),\"@d\")",$noOfDays$,$timerange|s$="| where calldate>=relative_time(now(),\"@d\") AND calldate<relative_time(now(),\"@m\")","$noOfHours$",$timerange|s$="| where calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\")","30",$timerange|s$="| where calldate>=relative_time(now(),\"-7d@d\") AND calldate<relative_time(now(),\"@d\")","7",$timerange|s$="| where calldate>=relative_time(now(),\"-24h@h\") AND calldate<relative_time(now(),\"@h\")","24",true(),"1d")

 

 
Search 2 - Saved Search: this is a report returning below fields:
 
 

 

| table Date Duration "Handled by" Queue _time

 

 
Search 3 - Chart: using Search 2 as base search and search result token values from Search 1:
 
 

 

| timechart span=$Chart Span:result.spantime$ count as HourlyCalls
| sort $Chart Span:result.topvalues$ -_time

 

 
now, when I load the dashboard, default timerange is calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\") , based on this I would expect Search 3 as,
 
 

 

| timechart span=1d count as HourlyCalls
| sort 30 -_time

 

 
but it shows below error message:
 
 

 

Set token value to render visualization
$noOfDays$
$noOfHours$
$spantime$
$topvalues$

 

 
can someone please suggest what is wrong here and how can I fix this?
 
Thank you.
Labels (3)
0 Karma
1 Solution

madhav_dholakia
Contributor

thanks @dural_yyz - this is for Simple XML Dashboards if I understood correctly? I am using dashboard studio.

I got this fixed, thanks to this response on Slack Splunk Community.

Fix: 

Search 1 refers to all of those tokens in the final eval but you haven’t defined them. Are you meaning to use the fields you’ve defined in the previous eval statements? If so, you just need to remove the $$ from around the field names in that final eval in search 1

updated Search 1:

| makeresults
| eval spantime=case($timerange|s$="| where calldate>=relative_time(now(),\"@mon\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"@d\") AND calldate<relative_time(now(),\"@m\")","1h",$timerange|s$="| where calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"-7d@d\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"-24h@h\") AND calldate<relative_time(now(),\"@h\")","1h",true(),"1d")
| eval startOfMonth=relative_time(now(),"@mon")
| eval noOfDays=round((now()-startOfMonth)/86400)
| eval startOfDay=relative_time(now(),"@d")
| eval noOfHours=round((now()-startOfDay)/3600-1)
| eval topvalues=case($timerange|s$="| where calldate>=relative_time(now(),\"@mon\") AND calldate<relative_time(now(),\"@d\")",noOfDays,$timerange|s$="| where calldate>=relative_time(now(),\"@d\") AND calldate<relative_time(now(),\"@m\")",$noOfHours$,$timerange|s$="| where calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\")","30",$timerange|s$="| where calldate>=relative_time(now(),\"-7d@d\") AND calldate<relative_time(now(),\"@d\")","7",$timerange|s$="| where calldate>=relative_time(now(),\"-24h@h\") AND calldate<relative_time(now(),\"@h\")","24",true(),"1d")

 

Thank you.

 

View solution in original post

0 Karma

dural_yyz
Motivator

https://docs.splunk.com/Documentation/Splunk/9.4.1/Viz/EventHandlerReference#chart_.28event_tokens.2...

I haven't done exactly what you are asking but I've done similar stuff.  The documents should help you out.

0 Karma

madhav_dholakia
Contributor

thanks @dural_yyz - this is for Simple XML Dashboards if I understood correctly? I am using dashboard studio.

I got this fixed, thanks to this response on Slack Splunk Community.

Fix: 

Search 1 refers to all of those tokens in the final eval but you haven’t defined them. Are you meaning to use the fields you’ve defined in the previous eval statements? If so, you just need to remove the $$ from around the field names in that final eval in search 1

updated Search 1:

| makeresults
| eval spantime=case($timerange|s$="| where calldate>=relative_time(now(),\"@mon\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"@d\") AND calldate<relative_time(now(),\"@m\")","1h",$timerange|s$="| where calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"-7d@d\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"-24h@h\") AND calldate<relative_time(now(),\"@h\")","1h",true(),"1d")
| eval startOfMonth=relative_time(now(),"@mon")
| eval noOfDays=round((now()-startOfMonth)/86400)
| eval startOfDay=relative_time(now(),"@d")
| eval noOfHours=round((now()-startOfDay)/3600-1)
| eval topvalues=case($timerange|s$="| where calldate>=relative_time(now(),\"@mon\") AND calldate<relative_time(now(),\"@d\")",noOfDays,$timerange|s$="| where calldate>=relative_time(now(),\"@d\") AND calldate<relative_time(now(),\"@m\")",$noOfHours$,$timerange|s$="| where calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\")","30",$timerange|s$="| where calldate>=relative_time(now(),\"-7d@d\") AND calldate<relative_time(now(),\"@d\")","7",$timerange|s$="| where calldate>=relative_time(now(),\"-24h@h\") AND calldate<relative_time(now(),\"@h\")","24",true(),"1d")

 

Thank you.

 

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...