Dashboards & Visualizations

Trying to create a dashboard panel graph from a report created csv, time field not recognized?

danniemcq
Loves-to-Learn Lots

Hi,

 

Trying to graph events from a created report and my time field either isn't being recognized, I see 2 date points and I can't use time filters.

| inputlookup Reference_Server_Logins.csv
| append [ search index=Data_2022_login_log type=LoginEvent
| search doc.value.deltaCurrency > 0
| eval Server=mvindex(split(mvindex(split(source, "-"), 2), "/"), 0)
| stats count by _time, Server
| timechart span=1d count by Server]
| dedup _time
| sort - _time
| outputlookup Reference_Server_Logins.csv



this is my report search, the normal search works fine and I can graph that however once the data is added to the CSV and I try and add that to a dashboard panel the _time field isn't affected by the date selection field, the graph is showing hours instead of days, and it only shows the 2 earliest values.

Messing around creating pivots allows me to see all data but again it's not affected by the filter.

Any help would be great.

Thanks

Labels (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

In a dashboard, an inputlookup command will not be affected by any time picker you have in your dashboard.

You will have to do some logic in a where clause after the inputlookup that will only select those rows from the lookup you want, e.g. 

| inputlookup Reference_Server_Logins.csv
| where _time>=$earliest$ AND _time<=$latest$

however, it's not quite so straightforward, as the earliest and latest tokens are not necessarily numeric values, for example latest might be "now", which will not work with _time<now

So, you will have to have a base search in the dashboard that calculates the earliest and latest from the time picker. This is a typical use case to create tokens based on a time picker selection. Below 'time_picker' is the field name of your time picker input and it will create earliest/latest tokens based on the NUMERIC values of the earliest and latest times, which can then be used in the search above.

<search>
  <query>
| makeresults
| addinfo
  </query>
  <earliest>$time_picker.earliest$</earliest>
  <latest>$time_picker.latest$</latest>
  <done>
    <set token="earliest">$result.info_min_time$</set>
    <set token="latest">$result.info_max_time$</set>
  </done>
</search>

Hope this helps

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...