Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Trying to create a dashboard panel graph from a report created csv, time field not recognized?

danniemcq
Loves-to-Learn Lots
‎08-15-2022 03:43 AM

Hi,

 

Trying to graph events from a created report and my time field either isn't being recognized, I see 2 date points and I can't use time filters.

| inputlookup Reference_Server_Logins.csv
| append [ search index=Data_2022_login_log type=LoginEvent
| search doc.value.deltaCurrency > 0
| eval Server=mvindex(split(mvindex(split(source, "-"), 2), "/"), 0)
| stats count by _time, Server
| timechart span=1d count by Server]
| dedup _time
| sort - _time
| outputlookup Reference_Server_Logins.csv



this is my report search, the normal search works fine and I can graph that however once the data is added to the CSV and I try and add that to a dashboard panel the _time field isn't affected by the date selection field, the graph is showing hours instead of days, and it only shows the 2 earliest values.

Messing around creating pivots allows me to see all data but again it's not affected by the filter.

Any help would be great.

Thanks

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-15-2022 09:49 PM

In a dashboard, an inputlookup command will not be affected by any time picker you have in your dashboard.

You will have to do some logic in a where clause after the inputlookup that will only select those rows from the lookup you want, e.g. 

| inputlookup Reference_Server_Logins.csv
| where _time>=$earliest$ AND _time<=$latest$

however, it's not quite so straightforward, as the earliest and latest tokens are not necessarily numeric values, for example latest might be "now", which will not work with _time<now

So, you will have to have a base search in the dashboard that calculates the earliest and latest from the time picker. This is a typical use case to create tokens based on a time picker selection. Below 'time_picker' is the field name of your time picker input and it will create earliest/latest tokens based on the NUMERIC values of the earliest and latest times, which can then be used in the search above.

<search>
  <query>
| makeresults
| addinfo
  </query>
  <earliest>$time_picker.earliest$</earliest>
  <latest>$time_picker.latest$</latest>
  <done>
    <set token="earliest">$result.info_min_time$</set>
    <set token="latest">$result.info_max_time$</set>
  </done>
</search>

Hope this helps

 

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...