Splunk Search

Dashboard Panel field concatenation- Can this be done?

auzark
Communicator

Hi,

In the below code for a panel on my dashboard, I am displaying whether a report/alert is being skipped.

If the _time field returned from the lookup.csv is > than 20 minutes ago. I would also like to display the value of _time  as well as the message. Can this be done?

<query>

| inputlookup append=t Lookup.csv
| eval tnow = now()
| eval lastruntime_unix = _time
| eval time_diff = tnow - lastruntime_unix
| eval status=if(time_diff > 1200, "1", "0")
| table status


| rangemap field=status low=0-0 severe=1-5 default=severe
| replace "0" with "Alert Run is Up to Date" in status
| replace "1" with "Alert Run is Skipping" in status

</query>

0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Use eval to set your status field - so replace from your table status with this

| table status _time
| rangemap field=status low=0-0 severe=1-5 default=severe
| eval status="Alert Run is ".if(status=0, "Up to Date", "Skipping ".strftime(_time, "%F %T"))

 You can change the format of your _time with strftime statement

View solution in original post

auzark
Communicator

Thank You, bowesmana.....

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Use eval to set your status field - so replace from your table status with this

| table status _time
| rangemap field=status low=0-0 severe=1-5 default=severe
| eval status="Alert Run is ".if(status=0, "Up to Date", "Skipping ".strftime(_time, "%F %T"))

 You can change the format of your _time with strftime statement

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...