Dashboards & Visualizations

Why is my drop-down time token not working?

Federica_92
Communicator

I'm following the documentation: http://docs.splunk.com/Documentation/Splunk/6.2.3/Viz/Buildandeditforms
I created 2 really simple drop-down input, but the time range selector is not executing the searches, could someone help me?

 <form>
 <label> report</label>
 <fieldset autoRun="true" submitButton="false">
 <input type="time" searchWhenChanged="true" token="dashboardTime">
   <label>Select time range</label>
  <default>
        <earliest>-24h@h</earliest>
     <latest>now</latest>
    </default>
     </input>
<input type="dropdown" searchWhenChanged="true" token="user">
  <label>Select userName</label>
  <!-- Hard-code the choice for "All" -->
  <choice value="*">All</choice>
  <search>
    <query>index=test ActingUserName=* | dedup ActingUserName</query>
  </search>
  <fieldForLabel>ActingUserName</fieldForLabel>
  <fieldForValue>ActingUserName</fieldForValue>
</input>
  </fieldset>
   <row>
     <panel>
      <title>MessageID=109 Get file request</title>
      <table>
      <search>
            <query>index=test EventClass=109 ActingUserName=$user$ | table ActionTargetUser, ActingUserName, ActionObject, ActionReason, ActionRequestId</query>
        <earliestTime>$dashboardTime.earliest$</earliestTime>
        <latestTime>$dashboardTime.latest$</latestTime>
  </search>
    <option name="wrap">undefined</option>
    <option name="rowNumbers">undefined</option>
    <option name="drilldown">row</option>
  </table>
</panel>
   </row>
Tags (3)
0 Karma
1 Solution

badrinath_itrs
Communicator

Hi ,

Please change your search query xml as below so that the time ranger drop down will work for you.

      <query>index=test EventClass=109 ActingUserName=$user$ | table ActionTargetUser, ActingUserName, ActionObject, ActionReason, ActionRequestId</query>
      <earliest>$dashboardTime.earliest$</earliest>
      <latest>$dashboardTime.latest$</latest>
    </search>

Thanks .. Hope it helps.

View solution in original post

badrinath_itrs
Communicator

Hi ,

Please change your search query xml as below so that the time ranger drop down will work for you.

      <query>index=test EventClass=109 ActingUserName=$user$ | table ActionTargetUser, ActingUserName, ActionObject, ActionReason, ActionRequestId</query>
      <earliest>$dashboardTime.earliest$</earliest>
      <latest>$dashboardTime.latest$</latest>
    </search>

Thanks .. Hope it helps.

badrinath_itrs
Communicator

My Mistake ( Copy / Paste problem ) . It should be as below for earliest and latest time. Can you try below and let me know how it works. I have updated the same in answer section as well.

 <search>
          <query>index=test EventClass=109 ActingUserName=$user$ | table ActionTargetUser, ActingUserName, ActionObject, ActionReason, ActionRequestId</query>
          <earliest>$dashboardTime.earliest$</earliest>
          <latest>$dashboardTime.latest$</latest>
        </search>
0 Karma

Federica_92
Communicator

what exactly did you change?

0 Karma

badrinath_itrs
Communicator

Instead of tag value "earliestTime" I have changed to "earliest" only . Same with latest time .

Does that help ?

Federica_92
Communicator

Yes, it works perfectly, thank you!

0 Karma

Federica_92
Communicator

I copy and paste it, but it still doesn't work, I'm sorry but I don't see the difference btw your query and mine..

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...