ISSUE: I am currently developing a dashboard that tracks Start/End time, duration, and record count for a job that runs every day. In my dashboard I have a time picker utilized in order to return results from certain time periods. However, when I search between two or more days, my results only return the information of the job from the previous day.
WHAT I HAVE: Here is a portion of the XML from my dashboard that contains the base search query and time picker code.
<form>
<label>title</label>
<search id="base_search">
<query> source="source name" |search NameOfJob=$NameOfJob$ | spath "count.amountOfRecords" | search "count.amountOfRecords"=* | spath timestamp | search timestamp=*
| stats earliest(timestamp) as StartTime, latest(timestamp) as EndTime count by "count.amountOfRecords" NameOfJob
| eval StartTime=substr(StartTime,1,25)
| eval EndTime=substr(EndTime,1,25)
| table NameOfJob, StartTime, EndTime, count.amountOfRecords</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<fieldset submitButton="true" autoRun="true">
<input type="dropdown" token="NameOfJob" searchWhenChanged="false">
<label>MODE</label>
<search base="base_search">
<query/>
</search>
<fieldForLabel>$NameOfJob$</fieldForLabel>
<fieldForValue>$NameOfJob$</fieldForValue>
<choice value="RJT*">T</choice>
<choice value="RJC*">C</choice>
<initialValue>RJT*</initialValue>
</input>
<input type="dropdown" searchWhenChanged="false" token="NameOfJob">
<label>JOB NAME</label>
<fieldForLabel>NameOfJob</fieldForLabel>
<fieldForValue>NameOfJob</fieldForValue>
<search>
<query>| search NameOfJob = $NameOfJob$ | stats count by NameOfJob</query>
<earliest>0</earliest>
<latest></latest>
</search>
<choice value="$NameOfJob$">NameOfJob</choice>
</input>
<input type="time" token="time">
<label>TIME</label>
<default>
<earliest>-1d@d</earliest>
<latest>@d</latest>
</default>
</input>
NEED: For a Date range (2 days or more) I would like the results to show the start/end times, duration, and record of the job for each day in that time range. Is this possible? Thank you
have you tried adding a date to the by clause of your stats command?
Can you provide an example?
Strip the date out of your timestamp (I used strftime since I don't know what format your timestamp is) then add it to your by clause
source="source name" |search NameOfJob=$NameOfJob$ | spath "count.amountOfRecords" | search "count.amountOfRecords"=* | spath timestamp | search timestamp=*
| eval date=strftime(timestamp,"%Y-%m-%d")
| stats earliest(timestamp) as StartTime, latest(timestamp) as EndTime count by "count.amountOfRecords" NameOfJob date
| eval StartTime=substr(StartTime,1,25)
| eval EndTime=substr(EndTime,1,25)
| table date NameOfJob, StartTime, EndTime, count.amountOfRecords
I have given this a try. It looks like it gives me the same results. I have even tried using _time
instead of timestamp
within the the eval date statement, this returns only the first date's(within the date range) values. Any idea where to go from here?
Thank you