Splunk Search

How to edit my dashboard so that my dropdown values will properly display?

Communicator

Hi,
i have created dashboard with 2 dropdowns based on host and based on Time Range. When select host it is working but not Time Range.

i am populating values by using this search and i can see the values in search

index=myindex source="/logs/app/*" | rex field=_raw "^(?[^,]+)" | dedup Time | table Time

and here the main using for displaying results in table format

index=myindex  source="/logs/app/*"  host="$drophost$" Time="$timerange$" | reverse | rex field=_raw "^(?[^,]+),(?[^,]+),(?.*)"  | eventstats latest(Time) as current | where current=Time  |stats list(Contents) as Contents by Host Time |table Time Host Contents

any help is appreciated.

0 Karma
1 Solution

Contributor

You might have to replace 'Time' with '_time' in the queries, and then you may have to do some playing around with the drop-downs.
The time field is always a little tricky to mess around with. Quirky.

I use something like this to use the drop down time ranges:
detail.utr="*" earliest=$dashboardTime.earliest$ latest=$dashboardTime.latest$ | stats count by detail.formId

View solution in original post

0 Karma

Contributor

You might have to replace 'Time' with '_time' in the queries, and then you may have to do some playing around with the drop-downs.
The time field is always a little tricky to mess around with. Quirky.

I use something like this to use the drop down time ranges:
detail.utr="*" earliest=$dashboardTime.earliest$ latest=$dashboardTime.latest$ | stats count by detail.formId

View solution in original post

0 Karma

Communicator

Thank you.actually i am extracting Time from events.

i am able to make it work and here is the search

index=myindex source="/logs/app/" host="$drophost$" | reverse | rex field=_raw "^(?[^,]+),(?[^,]+),(?.)" | search Time="$timerange$" | stats list(Contents) as Contents by Host Time | table Time Host Contents

0 Karma