Dashboards & Visualizations

How to pull a search from an inputlookup and to be placed on the managements dashboard?

gabarrygowin
Path Finder

Hello all,

I have created a form in Splunk that our Infra team uses to attest that they have conducted their daily system checks. Seems all the input side is working well now. The next challenge is pulling those daily audits to a search for displaying to management that we worker bees are busy.

I have the following search working, but it always pulls ALL the data in the .csv lookup vice just the current day.

| inputlookup DailyCheck.csv   | stats count by _time, Administrator, CheckPerformed, CheckStatus, CheckType 

Which result in:
_

time    Administrator   CheckPerformed  CheckStatus CheckType   count
2018-04-24 07:53:05 Alvarez, Osie   Splunk  Complete, No Issues noted   Daily   1
2018-04-24 07:51:28 Alliman, Jen    Satellite   Complete, No Issues noted   Daily   1
2018-04-24 07:49:38 Coldwell, Tony  Satellite   Complete, No Issues noted   Daily   1
2018-04-23 11:05:48 Coldwell, Tony  Satellite   Complete, No Issues noted   Daily   1
2018-04-23 10:54:58 Gonzo, Barney   Virtualization  Complete, No Issues noted   Daily   1
2018-04-23 10:54:52 Gonzo, Barney   Complete, No Issues noted   Daily   1

How on earth can I pull just the "Today" values from the lookup in my search so I can put it on managements dashboard?

P.S. Names have been changed to protect the probably innocent.

Many, many thanks!

Barry

0 Karma
1 Solution

somesoni2
Revered Legend

The inputlookup command has no effect of selected time range, so you would need to specify the time base filter in your search string, like this

| inputlookup DailyCheck.csv | where _time>=relative_time(now(),"@d")| stats count by _time, Administrator, CheckPerformed, CheckStatus, CheckType

The relative_time(now(),"@d") gives time of start of the day today. The where condition can be updated to fetch records for appropriate time range. (e.g. for just yesterday, your where clause would be:

| where _time>=relative_time(now(),"-1d@d") AND _time<relative_time(now(),"@d")

View solution in original post

somesoni2
Revered Legend

The inputlookup command has no effect of selected time range, so you would need to specify the time base filter in your search string, like this

| inputlookup DailyCheck.csv | where _time>=relative_time(now(),"@d")| stats count by _time, Administrator, CheckPerformed, CheckStatus, CheckType

The relative_time(now(),"@d") gives time of start of the day today. The where condition can be updated to fetch records for appropriate time range. (e.g. for just yesterday, your where clause would be:

| where _time>=relative_time(now(),"-1d@d") AND _time<relative_time(now(),"@d")

View solution in original post

gabarrygowin
Path Finder

Somesoni2,

You are a very helpful person that just got me over a weeklong hurdle!

Many, many thanks!

Barry

0 Karma

gabarrygowin
Path Finder

Can I ask a bonus question? I read your percentage posts and have been trying most of the day to do something similar.

Trying to convert the outcome of CheckStatus="Complete*" to a percentage. There are 12 daily checks, which I normally manually divide the Complete by 12 and get my percentage. Trying to get Splunk to automate this action.

Here's my search:

| inputlookup GenAtomicsCheck.csv | where _time>=relative_time(now(),"@d") | search CheckStatus="Complete*" | chart count AS Completed

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!