Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to pass token in dashbaord
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to pass token in dashbaord
Vani_26
Path Finder
05-26-2023
12:40 PM
Below is my original xml code for dashboard.
from the panel of EPP TimeZone , i have modified the query using tstats, query is working fine, but when i compare with original xml code query i am not able to pass tokens ((prodct="$eppProduct$") OR site="$eppProduct$")) in my tstats query.
can anyone please help on this.
<form>
<label>EPP Mode Dashboard</label>
<fieldset submitButton="false" autoRun="true">
<input type="dropdown" token="eppProduct" searchWhenChanged="true">
<label>Product</label>
<fieldForLabel>all_product</fieldForLabel>
<fieldForValue>all_product</fieldForValue>
<search>
<query> |tstats count where index=epp-prd-clc by site host host_ip
|eval prodct= case(like(host, "%prod%"), "PROD", like(host, "%pat%"), "PAT", like(host, "%sit%"), "SIT", like(host, "%dev%"), "DEV")
|stats count by site prodct
|eval all_product=if(like(prodct, "PROD"), site, prodct)</query>
<earliest> -4h@h </earliest>
<latest>now</latest>
</search>
<default>*</default>
<intialValue>*</intialValue>
<choice value="*"> ALL </choice>
</input>
<input type="time" token "eppTime" searchWhenChanged="true"
<label>Time</label>
<default>
<earliest> -60m@m </earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>EPP TimeZone</title>
<chart>
<title> Average Response Time</title>
<search>
<query> index=epp-prd-clc variable="ap" virginal="ssc" (prodct="$eppProduct$") OR site="$eppProduct$") deposit="calp" |eval Deposit=upper(deposit) |timechart avg(duration) as Duration
|eval Duration=round(Duration,2)</query>
<earliest> $eppTime.earliest$ </earliest>
<latest>$eppTime.latest$</latest>
</search>
<option nmae="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisMiddle </option>
<option nmae="charting.axisLabelsX.majorLabelStyle.rotation">0 </option>
<option nmae="charting.chart"> line </option>
<option nmae="charting.chart.nullValueMode"> zero </option>
<option nmae="charting.chart.showDataLabels">minmax </option>
<option nmae="charting.drilldown>all </option>
<option nmae="charting.layout.splitSeries"> 1 </option>
<option nmae="referesh.display"> none </option>
</chart>
</panel>
</row>
</form>
below is the modified xml dashboard code using tstats.
<form>
<label>EPP Mode Dashboard</label>
<fieldset submitButton="false" autoRun="true">
<input type="dropdown" token="eppProduct" searchWhenChanged="true">
<label>Product</label>
<fieldForLabel>all_product</fieldForLabel>
<fieldForValue>all_product</fieldForValue>
<search>
<query> |tstats count where index=epp-prd-clc by site host host_ip
|eval prodct= case(like(host, "%prod%"), "PROD", like(host, "%pat%"), "PAT", like(host, "%sit%"), "SIT", like(host, "%dev%"), "DEV")
|stats count by site prodct
|eval all_product=if(like(prodct, "PROD"), site, prodct)</query>
<earliest> -4h@h </earliest>
<latest>now</latest>
</search>
<default>*</default>
<intialValue>*</intialValue>
<choice value="*"> ALL </choice>
</input>
<input type="time" token "eppTime" searchWhenChanged="true"
<label>Time</label>
<default>
<earliest> -60m@m </earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>EPP TimeZone</title>
<chart>
<title> Average Response Time</title>
<search>
<query> |tstats avg(duration) as Duration where index=epp-prd-clc TERM(variable) TERM("ap")TERM(virginal) TERM("ssc") TERM(deposit) TERM("calp") BY PREFIX(deposit:) _time
|rename deposit: as Deposit
|eval Deposit=upper(deposit) |timechart
|eval Duration=round(Duration,2)</query>
<earliest> $eppTime.earliest$ </earliest>
<latest>$eppTime.latest$</latest>
</search>
<option nmae="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisMiddle </option>
<option nmae="charting.axisLabelsX.majorLabelStyle.rotation">0 </option>
<option nmae="charting.chart"> line </option>
<option nmae="charting.chart.nullValueMode"> zero </option>
<option nmae="charting.chart.showDataLabels">minmax </option>
<option nmae="charting.drilldown>all </option>
<option nmae="charting.layout.splitSeries"> 1 </option>
<option nmae="referesh.display"> none </option>
</chart>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
05-26-2023
01:15 PM
What exactly do you mean by "i am not able to pass tokens ...in my tstats query"? What is stopping you?
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vani_26
Path Finder
05-26-2023
01:21 PM
below is my tstats query, how to pass this token (prodct="$eppProduct$") OR site="$eppProduct$")
in this query:
i pasted original query also, in original query tokens are there but when i trying to pass in tstats its not working
|tstats avg(duration) as Duration where index=epp-prd-clc TERM(variable) TERM("ap")TERM(virginal) TERM("ssc") TERM(deposit) TERM("calp") BY PREFIX(deposit:) _time
|rename deposit: as Deposit
|eval Deposit=upper(deposit) |timechart
|eval Duration=round(Duration,2)orginal query:
index=epp-prd-clc variable="ap" virginal="ssc" (prodct="$eppProduct$") OR site="$eppProduct$") deposit="calp" |eval Deposit=upper(deposit) |timechart avg(duration) as Duration |eval Duration=round(Duration,2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
05-26-2023
01:35 PM
Those queries were in the OP. I still don't know what "its not working" means. What results do you get? What results are you expecting?
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
