Hi,
Trying to graph events from a created report and my time field either isn't being recognized, I see 2 date points and I can't use time filters.
| inputlookup Reference_Server_Logins.csv
| append [ search index=Data_2022_login_log type=LoginEvent
| search doc.value.deltaCurrency > 0
| eval Server=mvindex(split(mvindex(split(source, "-"), 2), "/"), 0)
| stats count by _time, Server
| timechart span=1d count by Server]
| dedup _time
| sort - _time
| outputlookup Reference_Server_Logins.csv
this is my report search, the normal search works fine and I can graph that however once the data is added to the CSV and I try and add that to a dashboard panel the _time field isn't affected by the date selection field, the graph is showing hours instead of days, and it only shows the 2 earliest values.
Messing around creating pivots allows me to see all data but again it's not affected by the filter.
Any help would be great.
Thanks
In a dashboard, an inputlookup command will not be affected by any time picker you have in your dashboard.
You will have to do some logic in a where clause after the inputlookup that will only select those rows from the lookup you want, e.g.
| inputlookup Reference_Server_Logins.csv
| where _time>=$earliest$ AND _time<=$latest$
however, it's not quite so straightforward, as the earliest and latest tokens are not necessarily numeric values, for example latest might be "now", which will not work with _time<now
So, you will have to have a base search in the dashboard that calculates the earliest and latest from the time picker. This is a typical use case to create tokens based on a time picker selection. Below 'time_picker' is the field name of your time picker input and it will create earliest/latest tokens based on the NUMERIC values of the earliest and latest times, which can then be used in the search above.
<search>
<query>
| makeresults
| addinfo
</query>
<earliest>$time_picker.earliest$</earliest>
<latest>$time_picker.latest$</latest>
<done>
<set token="earliest">$result.info_min_time$</set>
<set token="latest">$result.info_max_time$</set>
</done>
</search>
Hope this helps