How to use a field in SingleValue label?

richgalloway · ‎04-20-2015

I'm using singleValue fields to display status values and icons in my dashboard. I'd like to use the reltime command to indicate how old the status is, but can't get it to work. Here is my code:

<panel>
  <single>
    <title>Spectrum</title>
    <searchString>index=foo | reltime | rangemap field=CPU low=0-60, elevated=61-80, default=severe</searchString>
    <earliestTime>-5m@m</earliestTime>
    <latestTime>now</latestTime>
    <option name="classField">range</option>
    <option name="field">CPU</option>
    <option name="underLabel">$reltime$</option>
    <option name="refresh.auto.interval">60</option>
  </single>
</panel>

The status displays correctly, but the under label is "$RELTIME$" instead of a time string. Does singleValue support this?

---
If this reply helps you, Karma would be appreciated.

Paolo_Prigione · ‎12-03-2015

In Splunk 6.3 you can do this using the "finalized" and "set" tags.
Note that the "search" element is new, and "searchstring" has been deprecated.

<panel>
   <single>
     <title>Spectrum</title>
     <search>
        <query>index=foo | reltime | rangemap field=CPU low=0-60, elevated=61-80, default=severe | fields + CPU reltime</query>
        <earliest>-5m@m</earliest>
        <latest>now</latest>
        <finalized>
             <set token="RELTIME">$result.reltime$</set>
        </finalized>
     </search>
     <option name="classField">range</option>
     <option name="field">CPU</option>
     <option name="underLabel">$RELTIME$</option>
     <option name="refresh.auto.interval">60</option>
   </single>
 </panel>

gyslainlatsa · ‎04-21-2015

hi
Here's an example I offer because the token reltime needs an input to return a result, try to think in this direction

<form>

  <label>reltime</label>
  <description>this dashboard</description>

  <fieldset submitButton="false">
   <input type="dropdown" token="reltime" searchWhenChanged="true">
      <label>Change reltime</label>
      <choice value="17 seconds ago">17 seconds ago</choice>
      <search>
        <query>index=foo |reltime |table reltime </query>
      </search>
      <default>17 seconds ago</default>
      <fieldForLabel>reltime</fieldForLabel>
      <fieldForValue>reltime</fieldForValue>

    </input>
 </fieldset>

<row> 
<panel>

   <single>
     <title>Spectrum</title>
     <search>
       <query>
       index=foo |reltime |rangemap field=CPU low=0-60, elevated=61-80, default=severe
       </query>
     </search>
     <earliestTime>-5m@m</earliestTime>
     <latestTime>now</latestTime>
     <option name="classField">range</option>
     <option name="field">CPU</option>
     <option name="refresh.auto.interval">60</option>
     <option name="underLabel">$reltime$</option>
   </single>

 </panel>
 </row>   

</form>

richgalloway · ‎04-22-2015

Thanks for the answer. I would like to do this without the dropdown since the dashboard is refreshing automatically. However, if I remove the dropdown then I'm back where I started. If I leave the dropdown in place, the underlabel is fixed rather than using the value from my query.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎04-24-2015

After further experimentation, I've confirmed the underLabel field is merely whatever text was selected from the dropdown. It is not dynamic at all (which I need) and seems to have nothing at all to do with a search query.

---
If this reply helps you, Karma would be appreciated.

How to use a field in SingleValue label?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?