Solved: Timechart Search using TextBox

sathish2k8 · ‎02-05-2018

I want to include search box to search account and it should display the timechart also. Please help. Presently only timechart is displaying.

index=os sourcetype="logger" | eval account=ltrim(field10,"[") | eval account=rtrim(account,"]")  | timechart count by account | search account=0101010101

mayurr98 · ‎02-05-2018

Hey @sathish2k8

Go to dashboards>>create new dashboard and put following XML

<form>
  <label>test</label>
  <fieldset submitButton="true">
    <input type="time" token="field1" searchWhenChanged="true">
      <label>TimePicker</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="account" searchWhenChanged="true">
      <label>Account</label>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=os sourcetype="logger" | eval account=ltrim(field10,"[") | eval account=rtrim(account,"]")  |search account="$account$"  |  timechart count by account</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

let me know if this helps!

View solution in original post

mayurr98 · ‎02-05-2018

Hey @sathish2k8

Go to dashboards>>create new dashboard and put following XML

<form>
  <label>test</label>
  <fieldset submitButton="true">
    <input type="time" token="field1" searchWhenChanged="true">
      <label>TimePicker</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="account" searchWhenChanged="true">
      <label>Account</label>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=os sourcetype="logger" | eval account=ltrim(field10,"[") | eval account=rtrim(account,"]")  |search account="$account$"  |  timechart count by account</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

let me know if this helps!

sathish2k8 · ‎02-06-2018

not working, chart not loading.

mayurr98 · ‎02-06-2018

i have changed my xml pls check again.
as you are formatting account then the search should be after eval

index=os sourcetype="logger" | eval account=ltrim(field10,"[") | eval account=rtrim(account,"]")  |search account="$account$"  |  timechart count by account

Also after this whenever you enter the text in text box after hitting enter. open in search and see what is getting substituted in the place of account and troubleshoot in that way.

let me know if this helps!

493669 · ‎02-05-2018

have you tried this:

index=os sourcetype="logger" account="0101010101" | eval account=ltrim(field10,"[") | eval account=rtrim(account,"]")  | timechart count by account

sathish2k8 · ‎02-05-2018

how it gets input from text box do we need to use append keyword?

493669 · ‎02-05-2018

if you have input like this in xml:

<form>
   <label>sample</label>
   <fieldset submitButton="false">
     <input type="text" token="account">
       <label>Account</label>
       <initialValue></initialValue>
     </input>
   </fieldset>
 </form>

then you can use token value to search like $account$
then try this:

index=os sourcetype="logger"| eval account=ltrim(field10,"[") | eval account=rtrim(account,"]")  |search account="$account$"| timechart count by account

Timechart Search using TextBox

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms