Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dashboard Studio - Search Result as Token

madhav_dholakia
Contributor
‎03-12-2025 07:34 AM
Hello,
 
I am creating a dashboard with below searches to customize number of data points and time span displayed (using timechart) when different timerange is selected.
 
Search 1 - Chart Span: based on, custom timerange token, this returns span period and top values to be used in Search 3, given below.
 
 

 

| makeresults
| eval spantime=case($timerange|s$="| where calldate>=relative_time(now(),\"@mon\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"@d\") AND calldate<relative_time(now(),\"@m\")","1h",$timerange|s$="| where calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"-7d@d\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"-24h@h\") AND calldate<relative_time(now(),\"@h\")","1h",true(),"1d")
| eval startOfMonth=relative_time(now(),"@mon")
| eval noOfDays=round((now()-startOfMonth)/86400)
| eval startOfDay=relative_time(now(),"@d")
| eval noOfHours=round((now()-startOfDay)/3600-1)
| eval topvalues=case($timerange|s$="| where calldate>=relative_time(now(),\"@mon\") AND calldate<relative_time(now(),\"@d\")",$noOfDays$,$timerange|s$="| where calldate>=relative_time(now(),\"@d\") AND calldate<relative_time(now(),\"@m\")","$noOfHours$",$timerange|s$="| where calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\")","30",$timerange|s$="| where calldate>=relative_time(now(),\"-7d@d\") AND calldate<relative_time(now(),\"@d\")","7",$timerange|s$="| where calldate>=relative_time(now(),\"-24h@h\") AND calldate<relative_time(now(),\"@h\")","24",true(),"1d")

 

 
Search 2 - Saved Search: this is a report returning below fields:
 
 

 

| table Date Duration "Handled by" Queue _time

 

 
Search 3 - Chart: using Search 2 as base search and search result token values from Search 1:
 
 

 

| timechart span=$Chart Span:result.spantime$ count as HourlyCalls
| sort $Chart Span:result.topvalues$ -_time

 

 
now, when I load the dashboard, default timerange is calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\") , based on this I would expect Search 3 as,
 
 

 

| timechart span=1d count as HourlyCalls
| sort 30 -_time

 

 
but it shows below error message:
 
 

 

Set token value to render visualization
$noOfDays$
$noOfHours$
$spantime$
$topvalues$

 

 
can someone please suggest what is wrong here and how can I fix this?
 
Thank you.
Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

madhav_dholakia
Contributor
‎03-18-2025 02:57 AM

thanks @dural_yyz - this is for Simple XML Dashboards if I understood correctly? I am using dashboard studio.

I got this fixed, thanks to this response on Slack Splunk Community.

Fix: 

Search 1 refers to all of those tokens in the final eval but you haven’t defined them. Are you meaning to use the fields you’ve defined in the previous eval statements? If so, you just need to remove the $$ from around the field names in that final eval in search 1

updated Search 1:

| makeresults
| eval spantime=case($timerange|s$="| where calldate>=relative_time(now(),\"@mon\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"@d\") AND calldate<relative_time(now(),\"@m\")","1h",$timerange|s$="| where calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"-7d@d\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"-24h@h\") AND calldate<relative_time(now(),\"@h\")","1h",true(),"1d")
| eval startOfMonth=relative_time(now(),"@mon")
| eval noOfDays=round((now()-startOfMonth)/86400)
| eval startOfDay=relative_time(now(),"@d")
| eval noOfHours=round((now()-startOfDay)/3600-1)
| eval topvalues=case($timerange|s$="| where calldate>=relative_time(now(),\"@mon\") AND calldate<relative_time(now(),\"@d\")",noOfDays,$timerange|s$="| where calldate>=relative_time(now(),\"@d\") AND calldate<relative_time(now(),\"@m\")",$noOfHours$,$timerange|s$="| where calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\")","30",$timerange|s$="| where calldate>=relative_time(now(),\"-7d@d\") AND calldate<relative_time(now(),\"@d\")","7",$timerange|s$="| where calldate>=relative_time(now(),\"-24h@h\") AND calldate<relative_time(now(),\"@h\")","24",true(),"1d")

 

Thank you.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

dural_yyz
Motivator
‎03-14-2025 07:39 AM

https://docs.splunk.com/Documentation/Splunk/9.4.1/Viz/EventHandlerReference#chart_.28event_tokens.2...

I haven't done exactly what you are asking but I've done similar stuff.  The documents should help you out.

0 Karma
Reply
Solved! Jump to solution
Solution

madhav_dholakia
Contributor
‎03-18-2025 02:57 AM

thanks @dural_yyz - this is for Simple XML Dashboards if I understood correctly? I am using dashboard studio.

I got this fixed, thanks to this response on Slack Splunk Community.

Fix: 

Search 1 refers to all of those tokens in the final eval but you haven’t defined them. Are you meaning to use the fields you’ve defined in the previous eval statements? If so, you just need to remove the $$ from around the field names in that final eval in search 1

updated Search 1:

| makeresults
| eval spantime=case($timerange|s$="| where calldate>=relative_time(now(),\"@mon\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"@d\") AND calldate<relative_time(now(),\"@m\")","1h",$timerange|s$="| where calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"-7d@d\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"-24h@h\") AND calldate<relative_time(now(),\"@h\")","1h",true(),"1d")
| eval startOfMonth=relative_time(now(),"@mon")
| eval noOfDays=round((now()-startOfMonth)/86400)
| eval startOfDay=relative_time(now(),"@d")
| eval noOfHours=round((now()-startOfDay)/3600-1)
| eval topvalues=case($timerange|s$="| where calldate>=relative_time(now(),\"@mon\") AND calldate<relative_time(now(),\"@d\")",noOfDays,$timerange|s$="| where calldate>=relative_time(now(),\"@d\") AND calldate<relative_time(now(),\"@m\")",$noOfHours$,$timerange|s$="| where calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\")","30",$timerange|s$="| where calldate>=relative_time(now(),\"-7d@d\") AND calldate<relative_time(now(),\"@d\")","7",$timerange|s$="| where calldate>=relative_time(now(),\"-24h@h\") AND calldate<relative_time(now(),\"@h\")","24",true(),"1d")

 

Thank you.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Fall Into Learning with New Splunk Education Courses

Every month, Splunk Education releases new courses to help you branch out, strengthen your data science roots, ...

Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...

By Martin Hettervik, Senior Consultant and Team Leader at Accelerate at Iver, Splunk MVPThe stats command is ...

How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes

Your bank's payment processing system is humming along during a busy afternoon, handling millions in hourly ...