Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dashboard Studio - Search Result as Token

madhav_dholakia
Contributor
‎03-12-2025 07:34 AM
Hello,
 
I am creating a dashboard with below searches to customize number of data points and time span displayed (using timechart) when different timerange is selected.
 
Search 1 - Chart Span: based on, custom timerange token, this returns span period and top values to be used in Search 3, given below.
 
 

 

| makeresults
| eval spantime=case($timerange|s$="| where calldate>=relative_time(now(),\"@mon\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"@d\") AND calldate<relative_time(now(),\"@m\")","1h",$timerange|s$="| where calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"-7d@d\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"-24h@h\") AND calldate<relative_time(now(),\"@h\")","1h",true(),"1d")
| eval startOfMonth=relative_time(now(),"@mon")
| eval noOfDays=round((now()-startOfMonth)/86400)
| eval startOfDay=relative_time(now(),"@d")
| eval noOfHours=round((now()-startOfDay)/3600-1)
| eval topvalues=case($timerange|s$="| where calldate>=relative_time(now(),\"@mon\") AND calldate<relative_time(now(),\"@d\")",$noOfDays$,$timerange|s$="| where calldate>=relative_time(now(),\"@d\") AND calldate<relative_time(now(),\"@m\")","$noOfHours$",$timerange|s$="| where calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\")","30",$timerange|s$="| where calldate>=relative_time(now(),\"-7d@d\") AND calldate<relative_time(now(),\"@d\")","7",$timerange|s$="| where calldate>=relative_time(now(),\"-24h@h\") AND calldate<relative_time(now(),\"@h\")","24",true(),"1d")

 

 
Search 2 - Saved Search: this is a report returning below fields:
 
 

 

| table Date Duration "Handled by" Queue _time

 

 
Search 3 - Chart: using Search 2 as base search and search result token values from Search 1:
 
 

 

| timechart span=$Chart Span:result.spantime$ count as HourlyCalls
| sort $Chart Span:result.topvalues$ -_time

 

 
now, when I load the dashboard, default timerange is calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\") , based on this I would expect Search 3 as,
 
 

 

| timechart span=1d count as HourlyCalls
| sort 30 -_time

 

 
but it shows below error message:
 
 

 

Set token value to render visualization
$noOfDays$
$noOfHours$
$spantime$
$topvalues$

 

 
can someone please suggest what is wrong here and how can I fix this?
 
Thank you.
Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

madhav_dholakia
Contributor
‎03-18-2025 02:57 AM

thanks @dural_yyz - this is for Simple XML Dashboards if I understood correctly? I am using dashboard studio.

I got this fixed, thanks to this response on Slack Splunk Community.

Fix: 

Search 1 refers to all of those tokens in the final eval but you haven’t defined them. Are you meaning to use the fields you’ve defined in the previous eval statements? If so, you just need to remove the $$ from around the field names in that final eval in search 1

updated Search 1:

| makeresults
| eval spantime=case($timerange|s$="| where calldate>=relative_time(now(),\"@mon\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"@d\") AND calldate<relative_time(now(),\"@m\")","1h",$timerange|s$="| where calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"-7d@d\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"-24h@h\") AND calldate<relative_time(now(),\"@h\")","1h",true(),"1d")
| eval startOfMonth=relative_time(now(),"@mon")
| eval noOfDays=round((now()-startOfMonth)/86400)
| eval startOfDay=relative_time(now(),"@d")
| eval noOfHours=round((now()-startOfDay)/3600-1)
| eval topvalues=case($timerange|s$="| where calldate>=relative_time(now(),\"@mon\") AND calldate<relative_time(now(),\"@d\")",noOfDays,$timerange|s$="| where calldate>=relative_time(now(),\"@d\") AND calldate<relative_time(now(),\"@m\")",$noOfHours$,$timerange|s$="| where calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\")","30",$timerange|s$="| where calldate>=relative_time(now(),\"-7d@d\") AND calldate<relative_time(now(),\"@d\")","7",$timerange|s$="| where calldate>=relative_time(now(),\"-24h@h\") AND calldate<relative_time(now(),\"@h\")","24",true(),"1d")

 

Thank you.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

dural_yyz
Motivator
‎03-14-2025 07:39 AM

https://docs.splunk.com/Documentation/Splunk/9.4.1/Viz/EventHandlerReference#chart_.28event_tokens.2...

I haven't done exactly what you are asking but I've done similar stuff.  The documents should help you out.

0 Karma
Reply
Solved! Jump to solution
Solution

madhav_dholakia
Contributor
‎03-18-2025 02:57 AM

thanks @dural_yyz - this is for Simple XML Dashboards if I understood correctly? I am using dashboard studio.

I got this fixed, thanks to this response on Slack Splunk Community.

Fix: 

Search 1 refers to all of those tokens in the final eval but you haven’t defined them. Are you meaning to use the fields you’ve defined in the previous eval statements? If so, you just need to remove the $$ from around the field names in that final eval in search 1

updated Search 1:

| makeresults
| eval spantime=case($timerange|s$="| where calldate>=relative_time(now(),\"@mon\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"@d\") AND calldate<relative_time(now(),\"@m\")","1h",$timerange|s$="| where calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"-7d@d\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"-24h@h\") AND calldate<relative_time(now(),\"@h\")","1h",true(),"1d")
| eval startOfMonth=relative_time(now(),"@mon")
| eval noOfDays=round((now()-startOfMonth)/86400)
| eval startOfDay=relative_time(now(),"@d")
| eval noOfHours=round((now()-startOfDay)/3600-1)
| eval topvalues=case($timerange|s$="| where calldate>=relative_time(now(),\"@mon\") AND calldate<relative_time(now(),\"@d\")",noOfDays,$timerange|s$="| where calldate>=relative_time(now(),\"@d\") AND calldate<relative_time(now(),\"@m\")",$noOfHours$,$timerange|s$="| where calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\")","30",$timerange|s$="| where calldate>=relative_time(now(),\"-7d@d\") AND calldate<relative_time(now(),\"@d\")","7",$timerange|s$="| where calldate>=relative_time(now(),\"-24h@h\") AND calldate<relative_time(now(),\"@h\")","24",true(),"1d")

 

Thank you.

 

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...