Dashboards & Visualizations

Results for Each Day from within Time Range Using Time Picker in Dashboard Solution

tyhopping1
Engager

ISSUE: I am currently developing a dashboard that tracks Start/End time, duration, and record count for a job that runs every day. In my dashboard I have a time picker utilized in order to return results from certain time periods. However, when I search between two or more days, my results only return the information of the job from the previous day.

WHAT I HAVE: Here is a portion of the XML from my dashboard that contains the base search query and time picker code.

<form>
  <label>title</label>
  <search id="base_search">
    <query> source="source name" |search NameOfJob=$NameOfJob$ | spath "count.amountOfRecords" | search "count.amountOfRecords"=* | spath timestamp | search timestamp=*
| stats earliest(timestamp) as StartTime, latest(timestamp) as EndTime count by "count.amountOfRecords" NameOfJob 
| eval StartTime=substr(StartTime,1,25) 
| eval EndTime=substr(EndTime,1,25)
| table NameOfJob, StartTime, EndTime, count.amountOfRecords</query>
    <earliest>$time.earliest$</earliest>
    <latest>$time.latest$</latest>
  </search>
  <fieldset submitButton="true" autoRun="true">
    <input type="dropdown" token="NameOfJob" searchWhenChanged="false">
      <label>MODE</label>
      <search base="base_search">
        <query/>
      </search>
      <fieldForLabel>$NameOfJob$</fieldForLabel>
      <fieldForValue>$NameOfJob$</fieldForValue>
      <choice value="RJT*">T</choice>
      <choice value="RJC*">C</choice>
      <initialValue>RJT*</initialValue>
    </input>
    <input type="dropdown" searchWhenChanged="false" token="NameOfJob">
      <label>JOB NAME</label>
      <fieldForLabel>NameOfJob</fieldForLabel>
      <fieldForValue>NameOfJob</fieldForValue>
      <search>
        <query>| search NameOfJob = $NameOfJob$ | stats count by NameOfJob</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <choice value="$NameOfJob$">NameOfJob</choice>
    </input>
    <input type="time" token="time">
      <label>TIME</label>
      <default>
        <earliest>-1d@d</earliest>
        <latest>@d</latest>
      </default>
    </input>

NEED: For a Date range (2 days or more) I would like the results to show the start/end times, duration, and record of the job for each day in that time range. Is this possible? Thank you

0 Karma

kmaron
Motivator

have you tried adding a date to the by clause of your stats command?

0 Karma

tyhopping1
Engager

Can you provide an example?

0 Karma

kmaron
Motivator

Strip the date out of your timestamp (I used strftime since I don't know what format your timestamp is) then add it to your by clause

    source="source name" |search NameOfJob=$NameOfJob$ | spath "count.amountOfRecords" | search "count.amountOfRecords"=* | spath timestamp | search timestamp=*
    | eval date=strftime(timestamp,"%Y-%m-%d")
     | stats earliest(timestamp) as StartTime, latest(timestamp) as EndTime count by "count.amountOfRecords" NameOfJob date
     | eval StartTime=substr(StartTime,1,25) 
     | eval EndTime=substr(EndTime,1,25)
     | table date NameOfJob, StartTime, EndTime, count.amountOfRecords
0 Karma

tyhopping1
Engager

I have given this a try. It looks like it gives me the same results. I have even tried using _timeinstead of timestamp within the the eval date statement, this returns only the first date's(within the date range) values. Any idea where to go from here?

Thank you

0 Karma
Get Updates on the Splunk Community!

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...