Splunk Search

How to use a field in SingleValue label?

richgalloway
SplunkTrust
SplunkTrust

I'm using singleValue fields to display status values and icons in my dashboard. I'd like to use the reltime command to indicate how old the status is, but can't get it to work. Here is my code:

<panel>
  <single>
    <title>Spectrum</title>
    <searchString>index=foo | reltime | rangemap field=CPU low=0-60, elevated=61-80, default=severe</searchString>
    <earliestTime>-5m@m</earliestTime>
    <latestTime>now</latestTime>
    <option name="classField">range</option>
    <option name="field">CPU</option>
    <option name="underLabel">$reltime$</option>
    <option name="refresh.auto.interval">60</option>
  </single>
</panel>

The status displays correctly, but the under label is "$RELTIME$" instead of a time string. Does singleValue support this?

---
If this reply helps you, Karma would be appreciated.
0 Karma

Paolo_Prigione
Builder

In Splunk 6.3 you can do this using the "finalized" and "set" tags.
Note that the "search" element is new, and "searchstring" has been deprecated.

<panel>
   <single>
     <title>Spectrum</title>
     <search>
        <query>index=foo | reltime | rangemap field=CPU low=0-60, elevated=61-80, default=severe | fields + CPU reltime</query>
        <earliest>-5m@m</earliest>
        <latest>now</latest>
        <finalized>
             <set token="RELTIME">$result.reltime$</set>
        </finalized>
     </search>
     <option name="classField">range</option>
     <option name="field">CPU</option>
     <option name="underLabel">$RELTIME$</option>
     <option name="refresh.auto.interval">60</option>
   </single>
 </panel>

gyslainlatsa
Motivator

hi
Here's an example I offer because the token reltime needs an input to return a result, try to think in this direction

<form>

  <label>reltime</label>
  <description>this dashboard</description>

  <fieldset submitButton="false">
   <input type="dropdown" token="reltime" searchWhenChanged="true">
      <label>Change reltime</label>
      <choice value="17 seconds ago">17 seconds ago</choice>
      <search>
        <query>index=foo |reltime |table reltime </query>
      </search>
      <default>17 seconds ago</default>
      <fieldForLabel>reltime</fieldForLabel>
      <fieldForValue>reltime</fieldForValue>

    </input>
 </fieldset>

<row> 
<panel>

   <single>
     <title>Spectrum</title>
     <search>
       <query>
       index=foo |reltime |rangemap field=CPU low=0-60, elevated=61-80, default=severe
       </query>
     </search>
     <earliestTime>-5m@m</earliestTime>
     <latestTime>now</latestTime>
     <option name="classField">range</option>
     <option name="field">CPU</option>
     <option name="refresh.auto.interval">60</option>
     <option name="underLabel">$reltime$</option>
   </single>

 </panel>
 </row>   

</form>  
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Thanks for the answer. I would like to do this without the dropdown since the dashboard is refreshing automatically. However, if I remove the dropdown then I'm back where I started. If I leave the dropdown in place, the underlabel is fixed rather than using the value from my query.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

After further experimentation, I've confirmed the underLabel field is merely whatever text was selected from the dropdown. It is not dynamic at all (which I need) and seems to have nothing at all to do with a search query.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...