Hi,
i have created dashboard with 2 dropdowns based on host and based on Time Range. When select host it is working but not Time Range.
i am populating values by using this search and i can see the values in search
index=myindex source="/logs/app/*" | rex field=_raw "^(?[^,]+)" | dedup Time | table Time
and here the main using for displaying results in table format
index=myindex source="/logs/app/*" host="$drophost$" Time="$timerange$" | reverse | rex field=_raw "^(?[^,]+),(?[^,]+),(?.*)" | eventstats latest(Time) as current | where current=Time |stats list(Contents) as Contents by Host Time |table Time Host Contents
any help is appreciated.
You might have to replace 'Time' with '_time' in the queries, and then you may have to do some playing around with the drop-downs.
The time field is always a little tricky to mess around with. Quirky.
I use something like this to use the drop down time ranges:
detail.utr="*" earliest=$dashboardTime.earliest$ latest=$dashboardTime.latest$ | stats count by detail.formId
You might have to replace 'Time' with '_time' in the queries, and then you may have to do some playing around with the drop-downs.
The time field is always a little tricky to mess around with. Quirky.
I use something like this to use the drop down time ranges:
detail.utr="*" earliest=$dashboardTime.earliest$ latest=$dashboardTime.latest$ | stats count by detail.formId
Thank you.actually i am extracting Time from events.
i am able to make it work and here is the search
index=myindex source="/logs/app/" host="$drophost$" | reverse | rex field=_raw "^(?[^,]+),(?[^,]+),(?.)" | search Time="$timerange$" | stats list(Contents) as Contents by Host Time | table Time Host Contents