Dashboards & Visualizations

Why is my drop-down time token not working?

Federica_92
Communicator

I'm following the documentation: http://docs.splunk.com/Documentation/Splunk/6.2.3/Viz/Buildandeditforms
I created 2 really simple drop-down input, but the time range selector is not executing the searches, could someone help me?

 <form>
 <label> report</label>
 <fieldset autoRun="true" submitButton="false">
 <input type="time" searchWhenChanged="true" token="dashboardTime">
   <label>Select time range</label>
  <default>
        <earliest>-24h@h</earliest>
     <latest>now</latest>
    </default>
     </input>
<input type="dropdown" searchWhenChanged="true" token="user">
  <label>Select userName</label>
  <!-- Hard-code the choice for "All" -->
  <choice value="*">All</choice>
  <search>
    <query>index=test ActingUserName=* | dedup ActingUserName</query>
  </search>
  <fieldForLabel>ActingUserName</fieldForLabel>
  <fieldForValue>ActingUserName</fieldForValue>
</input>
  </fieldset>
   <row>
     <panel>
      <title>MessageID=109 Get file request</title>
      <table>
      <search>
            <query>index=test EventClass=109 ActingUserName=$user$ | table ActionTargetUser, ActingUserName, ActionObject, ActionReason, ActionRequestId</query>
        <earliestTime>$dashboardTime.earliest$</earliestTime>
        <latestTime>$dashboardTime.latest$</latestTime>
  </search>
    <option name="wrap">undefined</option>
    <option name="rowNumbers">undefined</option>
    <option name="drilldown">row</option>
  </table>
</panel>
   </row>
Tags (3)
0 Karma
1 Solution

badrinath_itrs
Communicator

Hi ,

Please change your search query xml as below so that the time ranger drop down will work for you.

      <query>index=test EventClass=109 ActingUserName=$user$ | table ActionTargetUser, ActingUserName, ActionObject, ActionReason, ActionRequestId</query>
      <earliest>$dashboardTime.earliest$</earliest>
      <latest>$dashboardTime.latest$</latest>
    </search>

Thanks .. Hope it helps.

View solution in original post

badrinath_itrs
Communicator

Hi ,

Please change your search query xml as below so that the time ranger drop down will work for you.

      <query>index=test EventClass=109 ActingUserName=$user$ | table ActionTargetUser, ActingUserName, ActionObject, ActionReason, ActionRequestId</query>
      <earliest>$dashboardTime.earliest$</earliest>
      <latest>$dashboardTime.latest$</latest>
    </search>

Thanks .. Hope it helps.

badrinath_itrs
Communicator

My Mistake ( Copy / Paste problem ) . It should be as below for earliest and latest time. Can you try below and let me know how it works. I have updated the same in answer section as well.

 <search>
          <query>index=test EventClass=109 ActingUserName=$user$ | table ActionTargetUser, ActingUserName, ActionObject, ActionReason, ActionRequestId</query>
          <earliest>$dashboardTime.earliest$</earliest>
          <latest>$dashboardTime.latest$</latest>
        </search>
0 Karma

Federica_92
Communicator

what exactly did you change?

0 Karma

badrinath_itrs
Communicator

Instead of tag value "earliestTime" I have changed to "earliest" only . Same with latest time .

Does that help ?

Federica_92
Communicator

Yes, it works perfectly, thank you!

0 Karma

Federica_92
Communicator

I copy and paste it, but it still doesn't work, I'm sorry but I don't see the difference btw your query and mine..

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...