Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Passing checkbox values to timechart

vaishnavi07
Explorer
‎05-14-2014 12:19 AM

Hi i am using checkboxes module with sideview. I have to pass the values that i select in checkbox drand display graph for that. If i select "%_Processor_Time" then i should get graph displaying avg(%_Processor_Time). If i select two option like %_Processor_Time and %_DPC_Time then graph should get displayed for both.

For now the the query is getting passed like this.

search index=winserver_perf sourcetype="PerfmonMk:Processor" host="adwas1701" | timechart avg(Avg(%_Processor_Time))

If i select two option in checkbox then query looks like this.

index=winserver_perf sourcetype="PerfmonMk:Processor" host="adwas1701" | timechart avg(Avg(%_Processor_Time),Avg(%_DPC_Time))

There are two avg's getting passed in query. I dunno how to remove that. 

                  <module name="Checkboxes" layoutPanel="panel_row2_col2">
        <param name="name">column</param>
        <param name="valueField">column</param>
        <param name="labelField">label</param>
        <param name="separator">,</param> 
        <param name="template">Avg($value$)</param>
        <param name="outerTemplate">$value$</param>  


                <module name="Search" layoutPanel="panel_row2_col1" autoRun="False">
                  <param name="search"> index=winserver_perf sourcetype="PerfmonMk:$sourcetype$" host="$host$"  | timechart avg($column$) </param>
                  <module name="JobProgressIndicator" /> 
                 <module name="ValueSetter" >

right
line
Time

$statistic$($column$)
$host$ : $sourcetype$ : $column$

connect

300px
100%



Can anyone please help me in finding out what is the mistake in the above code? Thanks in advance!

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-14-2014 02:27 AM

Remove the avg() around your $column$ in the search.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-14-2014 02:59 PM

As it is now, you have two avg() wrapped inside each other. One is here:

... | timechart avg($column$)

And the other is here:

<param name="template">Avg($value$)</param>

Resulting in this:

| timechart avg(Avg(%_Processor_Time),Avg(%_DPC_Time))

What you want is this:

... | timechart $column$

and this:

<param name="template">avg($value$)</param>

Resulting in this:

| timechart avg(%_Processor_Time),avg(%_DPC_Time)
0 Karma
Reply

vaishnavi07
Explorer
‎05-14-2014 03:20 AM

If i remove the Avg() then its showing error as func() is needed for timechart.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...