Dashboards & Visualizations
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dashboard Studio - Search Result as Token

madhav_dholakia
Contributor
a month ago
Hello,
 
I am creating a dashboard with below searches to customize number of data points and time span displayed (using timechart) when different timerange is selected.
 
Search 1 - Chart Span: based on, custom timerange token, this returns span period and top values to be used in Search 3, given below.
 
 

 

| makeresults
| eval spantime=case($timerange|s$="| where calldate>=relative_time(now(),\"@mon\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"@d\") AND calldate<relative_time(now(),\"@m\")","1h",$timerange|s$="| where calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"-7d@d\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"-24h@h\") AND calldate<relative_time(now(),\"@h\")","1h",true(),"1d")
| eval startOfMonth=relative_time(now(),"@mon")
| eval noOfDays=round((now()-startOfMonth)/86400)
| eval startOfDay=relative_time(now(),"@d")
| eval noOfHours=round((now()-startOfDay)/3600-1)
| eval topvalues=case($timerange|s$="| where calldate>=relative_time(now(),\"@mon\") AND calldate<relative_time(now(),\"@d\")",$noOfDays$,$timerange|s$="| where calldate>=relative_time(now(),\"@d\") AND calldate<relative_time(now(),\"@m\")","$noOfHours$",$timerange|s$="| where calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\")","30",$timerange|s$="| where calldate>=relative_time(now(),\"-7d@d\") AND calldate<relative_time(now(),\"@d\")","7",$timerange|s$="| where calldate>=relative_time(now(),\"-24h@h\") AND calldate<relative_time(now(),\"@h\")","24",true(),"1d")

 

 
Search 2 - Saved Search: this is a report returning below fields:
 
 

 

| table Date Duration "Handled by" Queue _time

 

 
Search 3 - Chart: using Search 2 as base search and search result token values from Search 1:
 
 

 

| timechart span=$Chart Span:result.spantime$ count as HourlyCalls
| sort $Chart Span:result.topvalues$ -_time

 

 
now, when I load the dashboard, default timerange is calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\") , based on this I would expect Search 3 as,
 
 

 

| timechart span=1d count as HourlyCalls
| sort 30 -_time

 

 
but it shows below error message:
 
 

 

Set token value to render visualization
$noOfDays$
$noOfHours$
$spantime$
$topvalues$

 

 
can someone please suggest what is wrong here and how can I fix this?
 
Thank you.
Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

madhav_dholakia
Contributor
3 weeks ago

thanks @dural_yyz - this is for Simple XML Dashboards if I understood correctly? I am using dashboard studio.

I got this fixed, thanks to this response on Slack Splunk Community.

Fix: 

Search 1 refers to all of those tokens in the final eval but you haven’t defined them. Are you meaning to use the fields you’ve defined in the previous eval statements? If so, you just need to remove the $$ from around the field names in that final eval in search 1

updated Search 1:

| makeresults
| eval spantime=case($timerange|s$="| where calldate>=relative_time(now(),\"@mon\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"@d\") AND calldate<relative_time(now(),\"@m\")","1h",$timerange|s$="| where calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"-7d@d\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"-24h@h\") AND calldate<relative_time(now(),\"@h\")","1h",true(),"1d")
| eval startOfMonth=relative_time(now(),"@mon")
| eval noOfDays=round((now()-startOfMonth)/86400)
| eval startOfDay=relative_time(now(),"@d")
| eval noOfHours=round((now()-startOfDay)/3600-1)
| eval topvalues=case($timerange|s$="| where calldate>=relative_time(now(),\"@mon\") AND calldate<relative_time(now(),\"@d\")",noOfDays,$timerange|s$="| where calldate>=relative_time(now(),\"@d\") AND calldate<relative_time(now(),\"@m\")",$noOfHours$,$timerange|s$="| where calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\")","30",$timerange|s$="| where calldate>=relative_time(now(),\"-7d@d\") AND calldate<relative_time(now(),\"@d\")","7",$timerange|s$="| where calldate>=relative_time(now(),\"-24h@h\") AND calldate<relative_time(now(),\"@h\")","24",true(),"1d")

 

Thank you.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

dural_yyz
Motivator
4 weeks ago

https://docs.splunk.com/Documentation/Splunk/9.4.1/Viz/EventHandlerReference#chart_.28event_tokens.2...

I haven't done exactly what you are asking but I've done similar stuff.  The documents should help you out.

0 Karma
Reply
Solved! Jump to solution
Solution

madhav_dholakia
Contributor
3 weeks ago

thanks @dural_yyz - this is for Simple XML Dashboards if I understood correctly? I am using dashboard studio.

I got this fixed, thanks to this response on Slack Splunk Community.

Fix: 

Search 1 refers to all of those tokens in the final eval but you haven’t defined them. Are you meaning to use the fields you’ve defined in the previous eval statements? If so, you just need to remove the $$ from around the field names in that final eval in search 1

updated Search 1:

| makeresults
| eval spantime=case($timerange|s$="| where calldate>=relative_time(now(),\"@mon\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"@d\") AND calldate<relative_time(now(),\"@m\")","1h",$timerange|s$="| where calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"-7d@d\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"-24h@h\") AND calldate<relative_time(now(),\"@h\")","1h",true(),"1d")
| eval startOfMonth=relative_time(now(),"@mon")
| eval noOfDays=round((now()-startOfMonth)/86400)
| eval startOfDay=relative_time(now(),"@d")
| eval noOfHours=round((now()-startOfDay)/3600-1)
| eval topvalues=case($timerange|s$="| where calldate>=relative_time(now(),\"@mon\") AND calldate<relative_time(now(),\"@d\")",noOfDays,$timerange|s$="| where calldate>=relative_time(now(),\"@d\") AND calldate<relative_time(now(),\"@m\")",$noOfHours$,$timerange|s$="| where calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\")","30",$timerange|s$="| where calldate>=relative_time(now(),\"-7d@d\") AND calldate<relative_time(now(),\"@d\")","7",$timerange|s$="| where calldate>=relative_time(now(),\"-24h@h\") AND calldate<relative_time(now(),\"@h\")","24",true(),"1d")

 

Thank you.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top