Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to pass token in dashbaord
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to pass token in dashbaord
Vani_26
Path Finder
05-26-2023
12:40 PM
Below is my original xml code for dashboard.
from the panel of EPP TimeZone , i have modified the query using tstats, query is working fine, but when i compare with original xml code query i am not able to pass tokens ((prodct="$eppProduct$") OR site="$eppProduct$")) in my tstats query.
can anyone please help on this.
<form>
<label>EPP Mode Dashboard</label>
<fieldset submitButton="false" autoRun="true">
<input type="dropdown" token="eppProduct" searchWhenChanged="true">
<label>Product</label>
<fieldForLabel>all_product</fieldForLabel>
<fieldForValue>all_product</fieldForValue>
<search>
<query> |tstats count where index=epp-prd-clc by site host host_ip
|eval prodct= case(like(host, "%prod%"), "PROD", like(host, "%pat%"), "PAT", like(host, "%sit%"), "SIT", like(host, "%dev%"), "DEV")
|stats count by site prodct
|eval all_product=if(like(prodct, "PROD"), site, prodct)</query>
<earliest> -4h@h </earliest>
<latest>now</latest>
</search>
<default>*</default>
<intialValue>*</intialValue>
<choice value="*"> ALL </choice>
</input>
<input type="time" token "eppTime" searchWhenChanged="true"
<label>Time</label>
<default>
<earliest> -60m@m </earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>EPP TimeZone</title>
<chart>
<title> Average Response Time</title>
<search>
<query> index=epp-prd-clc variable="ap" virginal="ssc" (prodct="$eppProduct$") OR site="$eppProduct$") deposit="calp" |eval Deposit=upper(deposit) |timechart avg(duration) as Duration
|eval Duration=round(Duration,2)</query>
<earliest> $eppTime.earliest$ </earliest>
<latest>$eppTime.latest$</latest>
</search>
<option nmae="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisMiddle </option>
<option nmae="charting.axisLabelsX.majorLabelStyle.rotation">0 </option>
<option nmae="charting.chart"> line </option>
<option nmae="charting.chart.nullValueMode"> zero </option>
<option nmae="charting.chart.showDataLabels">minmax </option>
<option nmae="charting.drilldown>all </option>
<option nmae="charting.layout.splitSeries"> 1 </option>
<option nmae="referesh.display"> none </option>
</chart>
</panel>
</row>
</form>
below is the modified xml dashboard code using tstats.
<form>
<label>EPP Mode Dashboard</label>
<fieldset submitButton="false" autoRun="true">
<input type="dropdown" token="eppProduct" searchWhenChanged="true">
<label>Product</label>
<fieldForLabel>all_product</fieldForLabel>
<fieldForValue>all_product</fieldForValue>
<search>
<query> |tstats count where index=epp-prd-clc by site host host_ip
|eval prodct= case(like(host, "%prod%"), "PROD", like(host, "%pat%"), "PAT", like(host, "%sit%"), "SIT", like(host, "%dev%"), "DEV")
|stats count by site prodct
|eval all_product=if(like(prodct, "PROD"), site, prodct)</query>
<earliest> -4h@h </earliest>
<latest>now</latest>
</search>
<default>*</default>
<intialValue>*</intialValue>
<choice value="*"> ALL </choice>
</input>
<input type="time" token "eppTime" searchWhenChanged="true"
<label>Time</label>
<default>
<earliest> -60m@m </earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>EPP TimeZone</title>
<chart>
<title> Average Response Time</title>
<search>
<query> |tstats avg(duration) as Duration where index=epp-prd-clc TERM(variable) TERM("ap")TERM(virginal) TERM("ssc") TERM(deposit) TERM("calp") BY PREFIX(deposit:) _time
|rename deposit: as Deposit
|eval Deposit=upper(deposit) |timechart
|eval Duration=round(Duration,2)</query>
<earliest> $eppTime.earliest$ </earliest>
<latest>$eppTime.latest$</latest>
</search>
<option nmae="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisMiddle </option>
<option nmae="charting.axisLabelsX.majorLabelStyle.rotation">0 </option>
<option nmae="charting.chart"> line </option>
<option nmae="charting.chart.nullValueMode"> zero </option>
<option nmae="charting.chart.showDataLabels">minmax </option>
<option nmae="charting.drilldown>all </option>
<option nmae="charting.layout.splitSeries"> 1 </option>
<option nmae="referesh.display"> none </option>
</chart>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
05-26-2023
01:15 PM
What exactly do you mean by "i am not able to pass tokens ...in my tstats query"? What is stopping you?
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vani_26
Path Finder
05-26-2023
01:21 PM
below is my tstats query, how to pass this token (prodct="$eppProduct$") OR site="$eppProduct$")
in this query:
i pasted original query also, in original query tokens are there but when i trying to pass in tstats its not working
|tstats avg(duration) as Duration where index=epp-prd-clc TERM(variable) TERM("ap")TERM(virginal) TERM("ssc") TERM(deposit) TERM("calp") BY PREFIX(deposit:) _time
|rename deposit: as Deposit
|eval Deposit=upper(deposit) |timechart
|eval Duration=round(Duration,2)orginal query:
index=epp-prd-clc variable="ap" virginal="ssc" (prodct="$eppProduct$") OR site="$eppProduct$") deposit="calp" |eval Deposit=upper(deposit) |timechart avg(duration) as Duration |eval Duration=round(Duration,2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
05-26-2023
01:35 PM
Those queries were in the OP. I still don't know what "its not working" means. What results do you get? What results are you expecting?
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!
What’s New & Next in Splunk SOAR
Security teams today are dealing with more alerts, more tools, and more pressure than ever. Join us on ...
Your Voice Matters! Help Us Shape the New Splunk Lantern Experience
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
September Community Champions: A Shoutout to Our Contributors!
As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...
