Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Trying to create a dashboard panel graph from a report created csv, time field not recognized?

danniemcq
Loves-to-Learn Lots
‎08-15-2022 03:43 AM

Hi,

 

Trying to graph events from a created report and my time field either isn't being recognized, I see 2 date points and I can't use time filters.

| inputlookup Reference_Server_Logins.csv
| append [ search index=Data_2022_login_log type=LoginEvent
| search doc.value.deltaCurrency > 0
| eval Server=mvindex(split(mvindex(split(source, "-"), 2), "/"), 0)
| stats count by _time, Server
| timechart span=1d count by Server]
| dedup _time
| sort - _time
| outputlookup Reference_Server_Logins.csv



this is my report search, the normal search works fine and I can graph that however once the data is added to the CSV and I try and add that to a dashboard panel the _time field isn't affected by the date selection field, the graph is showing hours instead of days, and it only shows the 2 earliest values.

Messing around creating pivots allows me to see all data but again it's not affected by the filter.

Any help would be great.

Thanks

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-15-2022 09:49 PM

In a dashboard, an inputlookup command will not be affected by any time picker you have in your dashboard.

You will have to do some logic in a where clause after the inputlookup that will only select those rows from the lookup you want, e.g. 

| inputlookup Reference_Server_Logins.csv
| where _time>=$earliest$ AND _time<=$latest$

however, it's not quite so straightforward, as the earliest and latest tokens are not necessarily numeric values, for example latest might be "now", which will not work with _time<now

So, you will have to have a base search in the dashboard that calculates the earliest and latest from the time picker. This is a typical use case to create tokens based on a time picker selection. Below 'time_picker' is the field name of your time picker input and it will create earliest/latest tokens based on the NUMERIC values of the earliest and latest times, which can then be used in the search above.

<search>
  <query>
| makeresults
| addinfo
  </query>
  <earliest>$time_picker.earliest$</earliest>
  <latest>$time_picker.latest$</latest>
  <done>
    <set token="earliest">$result.info_min_time$</set>
    <set token="latest">$result.info_max_time$</set>
  </done>
</search>

Hope this helps

 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...