Solved: Summary index use in dashboard

uagraw01 · ‎03-24-2024

To obtain the results in a dashboard I am using following things.
1.) First I created datamodel
2.) Datamodel I have used in macros which is running 1h and 1d basis.
3. pass those macros in saved search and collect the results in hourly and daily basis.
4. Results of the span_token is passing to macro from the below dashboard code. 
5. As I am attaching macros and saved searches at the end of the dashboard code.

Issue : I am not getting proper results by using this approach and dashboard is not populating results properly. I need gidance to fix the issue.

====================================================================

<form version="1.1" theme="light">
  <label>Throughput : Highbay</label>
  <init>
    <set token="span_token">$form.span_token$</set>
  </init>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <input type="time" token="time" id="my_date_range" searchWhenChanged="true">
        <label>Select the Time Range</label>
        <default>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </default>
        <change>
          <eval token="time.earliest_epoch">if('earliest'="",0,if(isnum(strptime('earliest', "%s")),'earliest',relative_time(now(),'earliest')))</eval>
          <eval token="time.latest_epoch">if(isnum(strptime('latest', "%s")),'latest',relative_time(now(),'latest'))</eval>
          <eval token="macro_token">if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 2592000, "throughput_macro_summary_1d",if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 86400, "throughput_macro_summary_1h","throughput_macro_raw"))</eval>
          <eval token="form.span_token">if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 2592000, "d", if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 86400, "h", $form.span_token$))</eval>
        </change>
      </input>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Total Pallet</title>
        <search>
          <query>|`$macro_token$(span_token="$span_token$")` 
| search LocationQualifiedName="*/Aisle*Entry*" OR  LocationQualifiedName="*/Aisle*Exit*"
|strcat "raw" "," location group_name | timechart sum(count) as cnt by location</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Pallet IN</title>
        <search>
          <query>|`$macro_token$(span_token="$span_token$")` 
| search LocationQualifiedName="*/Aisle*Entry*"
|strcat "raw" "," location group_name | timechart sum(count) as cnt by location</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Pallet OUT</title>
        <search>
          <query>|`$macro_token$(span_token="$span_token$")` 
| search LocationQualifiedName="*/Aisle*Exit*"
|strcat "raw" "," location group_name | timechart sum(count) as cnt by location</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>
=======================================
Macros:

throughput_macro_raw(1)

datamodel Walmart_throughput Highbay_throughput flat | bin _time span="$span_token$" | rename AsrTsuEventTrackingUpdate.LocationQualifiedName as LocationQualifiedName | table + _time LocationQualifiedName location date_hour date_mday date_minute date_month date_month date_second date_wday date_year

throughput_macro_summary_1d(1)

search index="tput_summary" sourcetype="tput_summary_1d" | bin _time span="$span_token$" | table + _time LocationQualifiedName location date_hour date_mday date_minute date_month date_month date_second date_wday date_year count

throughput_macro_summary_1h(1)	

search index="tput_summary" sourcetype="tput_summary_1h" | bin _time span=$span_token$ | table + _time LocationQualifiedName location date_hour date_mday date_minute date_month date_month date_second date_wday date_year count

saved searches:

throughput_summary_index_1d
| `throughput_macro_raw(span_token="1d")`  
|strcat "raw" "," location group_name |strcat "raw" "," location group_name | stats count by location _time LocationQualifiedName
| collect index="tput_summary" sourcetype="tput_summary_1d"

throughput_summary_index_1h

| `throughput_macro_raw(span_token="1h")`  
 |strcat "raw" "," location group_name | stats count by location _time LocationQualifiedName
| collect index="tput_summary" sourcetype="tput_summary_1h"

ITWhisperer · ‎03-25-2024

index="tput_summary" sourcetype="tput_summary_1d"
| bin _time span="h"
| table + _time LocationQualifiedName location date_hour date_mday date_minute date_month date_month date_second date_wday date_year count
| where like(LocationQualifiedName, "%/Aisle%Entry%")
| strcat "raw" "," location group_name
| where like(LocationQualifiedName,"%/Aisle%Entry%") OR like(LocationQualifiedName,"%/Aisle%Exit%")
| strcat "raw" "," location group_name
| timechart sum(count) as cnt by location

View solution in original post

ITWhisperer · ‎03-24-2024

What is the issue? ("not getting proper results" and "not populating results properly" do not really explain what is wrong.)

uagraw01 · ‎03-24-2024

@ITWhisperer

Summary indexing is giving the results for 30 days but results are not populating the dashboard.

No results populating in a dashboards when search for 30 days.

ITWhisperer · ‎03-24-2024

Try opening the panel search in a search window and see what your searches are

uagraw01 · ‎03-24-2024

@ITWhisperer Below is the search I am using in a panel

|`$macro_token$(span_token="$span_token$")`
| search LocationQualifiedName="*/Aisle*Entry*" OR LocationQualifiedName="*/Aisle*Exit*"
|strcat "raw" "," location group_name | timechart sum(count) as cnt by location

Screenshot:

ITWhisperer · ‎03-24-2024

Try expanding the macros in the search to see what they are actually doing

uagraw01 · ‎03-24-2024

@ITWhisperer While expanding macros I am getting below search :

index="tput_summary" sourcetype="tput_summary_1d"
| bin _time span="h"
| table + _time LocationQualifiedName location date_hour date_mday date_minute date_month date_month date_second date_wday date_year count
| search LocationQualifiedName="*/Aisle*Entry*"
| strcat "raw" "," location group_name
| timechart sum(count) as cnt by location

Above search is not producing any results.

ITWhisperer · ‎03-24-2024

Your previous search returned events from tput_summary_1h whereas this latest search is used tput_summary_1d - check that there are events in your summary index for the *_1d sourcetype

uagraw01 · ‎03-24-2024

@ITWhisperer

Events are present in sourcetype="tput_summary_1d" for 30 days

Events are present in sourcetype="tput_summary_1h" for 30 days

Please guide me on this

ITWhisperer · ‎03-24-2024

What does this search return?

index="tput_summary" sourcetype="tput_summary_1d"
| bin _time span="h"
| table + _time LocationQualifiedName location date_hour date_mday date_minute date_month date_month date_second date_wday date_year count
| search LocationQualifiedName="*/Aisle*Entry*"
| strcat "raw" "," location group_name

uagraw01 · ‎03-24-2024

@ITWhisperer Below search is returning "0" results.

ITWhisperer · ‎03-24-2024

How about this search

index="tput_summary" sourcetype="tput_summary_1d"
| bin _time span="h"
| table + _time LocationQualifiedName location date_hour date_mday date_minute date_month date_month date_second date_wday date_year count

uagraw01 · ‎03-24-2024

@ITWhisperer Below search is returning result as below screenshot.

ITWhisperer · ‎03-24-2024

Try using where and like() instead of search

index="tput_summary" sourcetype="tput_summary_1d"
| bin _time span="h"
| table + _time LocationQualifiedName location date_hour date_mday date_minute date_month date_month date_second date_wday date_year count
| where like(LocationQualifiedName, "%/Aisle%Entry%")
| strcat "raw" "," location group_name

uagraw01 · ‎03-24-2024

@ITWhisperer I have modified the changes as per your suggestion in the macros. But now I am seeing issue persist with the data.

When I select for 7 days, data is visible in a dashboard. Query and dashboard screenshot is attached below.

index="tput_summary" sourcetype="tput_summary_1h"
| bin _time span=h
| table + _time LocationQualifiedName location date_hour date_mday date_minute date_month date_month date_second date_wday date_year count
| where like(LocationQualifiedName, "%/Aisle%Entry%")
| strcat "raw" "," location group_name
| search LocationQualifiedName="*/Aisle*Entry*" OR LocationQualifiedName="*/Aisle*Exit*"
| strcat "raw" "," location group_name
| timechart sum(count) as cnt by location

When I have select for 30 days . There is no data visible in a dashboard. You can see query also.

index="tput_summary" sourcetype="tput_summary_1d"
| bin _time span="h"
| table + _time LocationQualifiedName location date_hour date_mday date_minute date_month date_month date_second date_wday date_year count
| where like(LocationQualifiedName, "%/Aisle%Entry%")
| strcat "raw" "," location group_name
| search LocationQualifiedName="*/Aisle*Entry*" OR LocationQualifiedName="*/Aisle*Exit*"
| strcat "raw" "," location group_name
| timechart sum(count) as cnt by location

ITWhisperer · ‎03-25-2024

Try changing the other search commands to their corresponding where commands

uagraw01 · ‎03-25-2024

@ITWhisperer I have used below code to obtain token results in macros ?Please provide your suggestion, is there any changes need ?

<change>
          <eval token="time.earliest_epoch">if('earliest'="",0,if(isnum(strptime('earliest', "%s")),'earliest',relative_time(now(),'earliest')))</eval>
          <eval token="time.latest_epoch">if(isnum(strptime('latest', "%s")),'latest',relative_time(now(),'latest'))</eval>
          <eval token="macro_token">if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 2592000, "throughput_macro_summary_1d",if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 86400, "throughput_macro_summary_1h","throughput_macro_raw"))</eval>
          <eval token="form.span_token">if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 2592000, "d", if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 86400, "h", $form.span_token$))</eval>
        </change>

ITWhisperer · ‎03-25-2024

index="tput_summary" sourcetype="tput_summary_1d"
| bin _time span="h"
| table + _time LocationQualifiedName location date_hour date_mday date_minute date_month date_month date_second date_wday date_year count
| where like(LocationQualifiedName, "%/Aisle%Entry%")
| strcat "raw" "," location group_name
| where like(LocationQualifiedName,"%/Aisle%Entry%") OR like(LocationQualifiedName,"%/Aisle%Exit%")
| strcat "raw" "," location group_name
| timechart sum(count) as cnt by location

uagraw01 · ‎03-25-2024

@ITWhisperer Now code is working, I have modified it in a dashboard.

Thanks for your throughout genius help.

Summary index use in dashboard

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application