Splunk Search

Dashboard single value sentence including time

bcarr12
Path Finder

Hi all,

I'm currently working on a dashboard in Splunk that I am trying to take a count value and include it in a sentence to make it more presentable. As of now, I am able to get a count of events and then create a variable that works great:
eval today=count." "."messages processed today."

I have this dashboard panel set to refresh every hour, so ideally I would like the text to say "xxx messages processed today as of (time most recent search completed)". I've tried creating variables to do this or using by using stats, but any time I include the time in my "today" variable it causes no results to show up. Any thoughts?

0 Karma
1 Solution

cmerriman
Super Champion

try something like this:

|eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")| eval today=count+" "+"messages processed"+time+"."

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

What is your query?

---
If this reply helps you, Karma would be appreciated.
0 Karma

cmerriman
Super Champion

try something like this:

|eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")| eval today=count+" "+"messages processed"+time+"."

bcarr12
Path Finder

I've tried that, but anytime I do my table that used to display the text string returns nothing. Am I doing something in the wrong order?

source="mylog.log" | eval time=strftime(_time,"%I:%M %p") | stats count | eval count=tostring(count, "commas") | eval today=count." "."messages processed today as of"." ".time | table today
0 Karma

cmerriman
Super Champion

you need time in your stats command

| eval time=strftime(_time,"%I:%M %p") | stats count max(time) as time| eval count=tostring(count, "commas") | eval today=count." "."messages processed today as of"." ".time| table today
0 Karma

bcarr12
Path Finder

Thanks, I made a slight tweak and it is working perfectly now!

source="mylog.log" | eval time=strftime(_time,"%I:%M %p") | stats count latest(time) as time | eval count=tostring(count, "commas") | eval today=count." "."messages processed as of"." ".time | table today
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...