Solved: Re: How to use 2 different query in dashboard and ... - Page 2

Punnu · ‎04-04-2025

Hi All,

I have created one query and it is working fine in search. I am sharing part of code from dashboard. In first part of call if you see I have hardcoded by earliest and latest time . But i want to pass those as input values by selecting input time provided on dashboard and then remaining part of query I want to run for whole day or lets say another time range . becuse it is possible that request i have received during mentioned time might get process later at dayy.How can I achieve this . Also I want to hide few columns at end like message guid , request time and output time .

    <panel>
      <table>
        <title>Contact -Timings</title>
        <search>
          <query>```query for apigateway call```
index=aws* earliest="03/28/2025:13:30:00" latest="03/28/2025:14:35:00" 
Method response body after transformations: sourcetype="aws:apigateway"
| rex field=_raw "Method response body after transformations: (?&lt;json&gt;[^$]+)" 
| spath input=json path="header.messageGUID" output=messageGUID 
| spath input=json path="payload.statusType.code" output=status 
| spath input=json path="payload.statusType.text" output=text 
| spath input=json path="header.action" output=action 
| where status=200 and action="Create" 
| rename _time as request_time 
    ```dedupe is added to remove duplicates ```
| dedup messageGUID
| append 
```query for event brigdel```
    [ search index="aws_np" 
| rex field=_raw "messageGUID\": String\(\"(?&lt;messageGUID&gt;[^\"]+)" 
| rex field=_raw "source\": String\(\"(?&lt;source&gt;[^\"]+)" 
| rex field=_raw "type\": String\(\"(?&lt;type&gt;[^\"]+)" 
| where  source="MDM"   and type="Contact"  ```and messageGUID="0461870f-ee8a-96cd-3db6-1ca1f6dbeb30"```
    | rename _time as output_time  | dedup messageGUID
    ] 
| stats values(request_time) as request_time values(output_time) as output_time    by messageGUID
|  where isnotnull(output_time) and isnotnull(request_time)   
 | eval timeTaken=(output_time-request_time)/60| convert ctime(output_time)| convert ctime(request_time)
| eventstats avg(timeTaken) min(timeTaken) max(timeTaken) count(messageGUID)
| head 1</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>

Punnu · ‎04-30-2025

I got solution of this by following what is mentioned in https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367124#M108287

View solution in original post

Punnu · ‎04-06-2025

Could there a possibility this playing any role is error

ITWhisperer · ‎04-06-2025

That seems unlikely. What does the search job inspector show?

Punnu · ‎04-06-2025

ITWhisperer · ‎04-06-2025

What about your search job inspector

and search log (particularly the expanded index search

Punnu · ‎04-06-2025

it is showing error

Punnu · ‎04-06-2025

Hi @ITWhisperer ,

I am observing one thing when I am changing to following format , instead of space giving : (highlighted in red ) , then it is running but not getting values of earliest, latest. Not sure is this correct way to display values .

ITWhisperer · ‎04-06-2025

It is not clear where the _time>= and _time< are coming from but these are where the issue is being introduced. Do you have any restrictions etc. associated with the role?

PickleRick · ‎04-07-2025

@ITWhisperer This is actually what Splunk internally translates earliest and latest parameters to.

@PunnuThis is a very interesting issue because when I use an identical search on a 9.1.2 instance I just pulled and ran in my docker container on my laptop, it runs without any issues.

Try running your subsearch with added | format command and see what it returns (it should return the set of conditions for the outer search rendered as string.

| makeresults
| eval earliest=strptime("12/03/2025 13:00","%d/%m/%Y %H:%M")
| eval latest=relative_time(earliest,"+1d")
| table earliest latest
| format

Punnu · ‎04-08-2025

Hello @PickleRick ,even simple search is failing . I tried keeping it in [] also ,still erroring out

PickleRick · ‎04-08-2025

This is wrong syntax. You can't search from index and then do makeresults.

Punnu · ‎04-06-2025

Hi @ITWhisperer , I will try to find out this with our Splunk enterprise team . But if that is true, this should also happen in this case also where space between date and hrs is replaces by :

then it is running fine but I am not sure if it running correct timings which I mean is 12-March-2025 to 13-march-2025

How to use 2 different query in dashboard and hide few columns

Classic dashboard

panel

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation