Hey splunksters,
The following dashboard allows the user to select a timeframe to show hosts/sourcetypes that havent reported in. For instance, the current selection dropdown allows them to select everything that hasnt reported in for 24 hours...I'd like to change it with a second token (or something) that shows hosts/st that havent reported in 24 hours but not greater than 48 hours... I assume it involves adding a second token and changing the "where" clause in the search query to some thing like
| where lt < timeLastSeenCheck AND timeLastSeenCheck > secondtoken
However, I'm having trouble getting it to work..any help is much appreciated!
Thanks!
<label>missing data alert panels (under construction) Clone Clone</label>
<fieldset submitButton="false" autoRun="true">
<input type="dropdown" token="simple">
<label>Simple Time Picker</label>
<choice value="1">Over 24 Hours</choice>
<choice value="2">Over 48 Hours</choice>
<choice value="3">Over 72 Hours</choice>
<choice value="4">Over 96 Hours</choice>
<default>1</default>
</input>
</fieldset>
<row>
<panel>
<title>Host / Sourcectype Silent (15 day grab)</title>
<table>
<search>
<query>| tstats latest(_indextime) as lt by host sourcetype
| eval timeLastSeenCheck=relative_time(now(), "-$simple$d@d")
| eventstats count(host) as tots_hosts by sourcetype
| eventstats dc(sourcetype) as tots_st by host
| where lt < timeLastSeenCheck
| eventstats count(host) as ghost_hosts by sourcetype
| eval percent_ghost_host = (ghost_hosts / tots_hosts) * 100
| eventstats dc(sourcetype) as ghost_st by host
| eval percent_ghost_st = (ghost_st / tots_st) * 100
| convert ctime(timeLastSeenCheck) as Time_LAst_Seen_Check timeformat="%Y/%m/%d %H:%M"
| dedup sourcetype
| rename tots_hosts as Total_hosts_by_ST tots_st as DC_Total_ST_by_HOST
| table host sourcetype percent_ghost_host percent_ghost_st Total_hosts_by_ST ghost_hosts DC_Total_ST_by_HOST ghost_st Time_LAst_Seen_Check</query>
<earliest>-15d</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
Try this.
<label>missing data alert panels (under construction) Clone Clone</label>
<fieldset submitButton="false" autoRun="true">
<input type="dropdown" token="simple">
<label>Over</label>
<choice value="1">Over 24 Hours</choice>
<choice value="2">Over 48 Hours</choice>
<choice value="3">Over 72 Hours</choice>
<choice value="4">Over 96 Hours</choice>
<default>1</default>
</input>
<input type="dropdown" token="simple_2">
<label>Later than</label>
<choice value="1">Later than 24 Hours</choice>
<choice value="2">Later than 48 Hours</choice>
<choice value="3">Later than 72 Hours</choice>
<choice value="4">Later than 96 Hours</choice>
<default>1</default>
</input>
</fieldset>
<row>
<panel>
<title>Host / Sourcectype Silent (15 day grab)</title>
<table>
<search>
<query>| tstats latest(_indextime) as lt by host sourcetype
| eval timeLastSeenCheck=relative_time(now(), "-$simple$d@d"), newer_than=relative_time(now(), "-$simple_2$d@d")
| eventstats count(host) as tots_hosts by sourcetype
| eventstats dc(sourcetype) as tots_st by host
| where lt < timeLastSeenCheck and lt>newer_than
| eventstats count(host) as ghost_hosts by sourcetype
| eval percent_ghost_host = (ghost_hosts / tots_hosts) * 100
| eventstats dc(sourcetype) as ghost_st by host
| eval percent_ghost_st = (ghost_st / tots_st) * 100
| convert ctime(timeLastSeenCheck) as Time_LAst_Seen_Check timeformat="%Y/%m/%d %H:%M"
| dedup sourcetype
| rename tots_hosts as Total_hosts_by_ST tots_st as DC_Total_ST_by_HOST
| table host sourcetype percent_ghost_host percent_ghost_st Total_hosts_by_ST ghost_hosts DC_Total_ST_by_HOST ghost_st Time_LAst_Seen_Check</query>
<earliest>-15d</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
Hope this helps.
Cheers
Try this.
<label>missing data alert panels (under construction) Clone Clone</label>
<fieldset submitButton="false" autoRun="true">
<input type="dropdown" token="simple">
<label>Over</label>
<choice value="1">Over 24 Hours</choice>
<choice value="2">Over 48 Hours</choice>
<choice value="3">Over 72 Hours</choice>
<choice value="4">Over 96 Hours</choice>
<default>1</default>
</input>
<input type="dropdown" token="simple_2">
<label>Later than</label>
<choice value="1">Later than 24 Hours</choice>
<choice value="2">Later than 48 Hours</choice>
<choice value="3">Later than 72 Hours</choice>
<choice value="4">Later than 96 Hours</choice>
<default>1</default>
</input>
</fieldset>
<row>
<panel>
<title>Host / Sourcectype Silent (15 day grab)</title>
<table>
<search>
<query>| tstats latest(_indextime) as lt by host sourcetype
| eval timeLastSeenCheck=relative_time(now(), "-$simple$d@d"), newer_than=relative_time(now(), "-$simple_2$d@d")
| eventstats count(host) as tots_hosts by sourcetype
| eventstats dc(sourcetype) as tots_st by host
| where lt < timeLastSeenCheck and lt>newer_than
| eventstats count(host) as ghost_hosts by sourcetype
| eval percent_ghost_host = (ghost_hosts / tots_hosts) * 100
| eventstats dc(sourcetype) as ghost_st by host
| eval percent_ghost_st = (ghost_st / tots_st) * 100
| convert ctime(timeLastSeenCheck) as Time_LAst_Seen_Check timeformat="%Y/%m/%d %H:%M"
| dedup sourcetype
| rename tots_hosts as Total_hosts_by_ST tots_st as DC_Total_ST_by_HOST
| table host sourcetype percent_ghost_host percent_ghost_st Total_hosts_by_ST ghost_hosts DC_Total_ST_by_HOST ghost_st Time_LAst_Seen_Check</query>
<earliest>-15d</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
Hope this helps.
Cheers
Thanks..I see what you are getting at, but i dont get any results ...it was a longshot, but i tried setting the values to 2 , 3, 4 , 5 in the second dropdown?? but that didnt work either ....hmmmm
Ok. I'm a dummy (missed some spl during copy/pasta)...Got it working ...Thanks arjunpkishore5!
You're welcome. 🙂