Splunk Search

How to use a field in SingleValue label?

richgalloway
SplunkTrust
SplunkTrust

I'm using singleValue fields to display status values and icons in my dashboard. I'd like to use the reltime command to indicate how old the status is, but can't get it to work. Here is my code:

<panel>
  <single>
    <title>Spectrum</title>
    <searchString>index=foo | reltime | rangemap field=CPU low=0-60, elevated=61-80, default=severe</searchString>
    <earliestTime>-5m@m</earliestTime>
    <latestTime>now</latestTime>
    <option name="classField">range</option>
    <option name="field">CPU</option>
    <option name="underLabel">$reltime$</option>
    <option name="refresh.auto.interval">60</option>
  </single>
</panel>

The status displays correctly, but the under label is "$RELTIME$" instead of a time string. Does singleValue support this?

---
If this reply helps you, Karma would be appreciated.
0 Karma

Paolo_Prigione
Builder

In Splunk 6.3 you can do this using the "finalized" and "set" tags.
Note that the "search" element is new, and "searchstring" has been deprecated.

<panel>
   <single>
     <title>Spectrum</title>
     <search>
        <query>index=foo | reltime | rangemap field=CPU low=0-60, elevated=61-80, default=severe | fields + CPU reltime</query>
        <earliest>-5m@m</earliest>
        <latest>now</latest>
        <finalized>
             <set token="RELTIME">$result.reltime$</set>
        </finalized>
     </search>
     <option name="classField">range</option>
     <option name="field">CPU</option>
     <option name="underLabel">$RELTIME$</option>
     <option name="refresh.auto.interval">60</option>
   </single>
 </panel>

gyslainlatsa
Motivator

hi
Here's an example I offer because the token reltime needs an input to return a result, try to think in this direction

<form>

  <label>reltime</label>
  <description>this dashboard</description>

  <fieldset submitButton="false">
   <input type="dropdown" token="reltime" searchWhenChanged="true">
      <label>Change reltime</label>
      <choice value="17 seconds ago">17 seconds ago</choice>
      <search>
        <query>index=foo |reltime |table reltime </query>
      </search>
      <default>17 seconds ago</default>
      <fieldForLabel>reltime</fieldForLabel>
      <fieldForValue>reltime</fieldForValue>

    </input>
 </fieldset>

<row> 
<panel>

   <single>
     <title>Spectrum</title>
     <search>
       <query>
       index=foo |reltime |rangemap field=CPU low=0-60, elevated=61-80, default=severe
       </query>
     </search>
     <earliestTime>-5m@m</earliestTime>
     <latestTime>now</latestTime>
     <option name="classField">range</option>
     <option name="field">CPU</option>
     <option name="refresh.auto.interval">60</option>
     <option name="underLabel">$reltime$</option>
   </single>

 </panel>
 </row>   

</form>  
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Thanks for the answer. I would like to do this without the dropdown since the dashboard is refreshing automatically. However, if I remove the dropdown then I'm back where I started. If I leave the dropdown in place, the underlabel is fixed rather than using the value from my query.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

After further experimentation, I've confirmed the underLabel field is merely whatever text was selected from the dropdown. It is not dynamic at all (which I need) and seems to have nothing at all to do with a search query.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...