Hello,
Is it possible to populate drop down in Dashboard with eval values. I have a query as given below which returns me a string.
index=test sourcetype="testabc"
| rename sre_job_id as JOB_ID
| stats earliest(_time) AS Earliest by JOB_ID
| eval FirstEvent=strftime(Earliest,"%b %d, %Y %H:%M:%S")
| eval JOB_ID_STR=tostring(JOB_ID)
| eval JOB-ID-WITH-TIME=JOB_ID + "-" + FirstEvent
| table JOB-ID-WITH-TIME
| dedup JOB-ID-WITH-TIME
| sort JOB-ID-WITH-TIME
When I run this search with time as "Last 7 days", I get 3 records back.
| 7220-Aug 13, 2020 11:22:00 |
| 7320-Aug 13, 2020 11:46:32 |
| 7800-Aug 14, 2020 04:50:06 |
But when I use the same query in my drop-down in dashboard, I do not see any data. Below is the xml for the same:
<input type="dropdown" token="jobIDII" searchWhenChanged="true">
<label>JOB ID II</label>
<fieldForLabel>sre_job_id</fieldForLabel>
<fieldForValue>sre_job_id</fieldForValue>
<search>
<query>index=test sourcetype="testabc"
| rename sre_job_id as JOB_ID
| stats earliest(_time) AS Earliest by JOB_ID
| eval FirstEvent=strftime(Earliest,"%b %d, %Y %H:%M:%S")
| eval JOB_ID_STR=tostring(JOB_ID)
| eval JOB-ID-WITH-TIME=JOB_ID + "-" + FirstEvent
| table JOB-ID-WITH-TIME
| dedup JOB-ID-WITH-TIME
| sort JOB-ID-WITH-TIME</query>
<earliest>$timeToken.earliest$</earliest>
<latest>$timeToken.latest$</latest>
</search>
</input>
NOTE: timeToken is the token for DURATION.
I also have a time input to filter the data for the above query in my dashboard. Please see the picture below:
If you see above, JOB ID II is not populating any data and I cannot select anything from here.
Thanks for your time in advance.
