Timechart not populating the result

mayank101 · ‎07-23-2019

I have a checkbox named host in which user enters the hostname manually, and then as per the name entered it should display the timechart.But it still shows waiting for input even after I enter. Can anyone please help in my case. I have pasted below the XML

       <query>index="xxxxx" 
         publisher="xxx"
      (entity="*:boot*" event="FAIL-ALERT" state!="Clear")

  |rex field=entity "_(?!.*_)(?&lt;host&gt;.*)" |eval myhost=$host$ |timechart useother=f count by myhost limit=200</query>
      <earliest>-6mon@mon</earliest>
      <latest>now</latest>

jpolvino · ‎07-23-2019

If you're collecting hostname from the user via a text field that becomes a token like $host$ then why are you also extracting host from the entity field?

If you want to use the token from then dashboard, then try putting $host$ in double quotes. As in: |eval myhost="$host$"

It might help to pull the query from the dashboard and run it directly in search. Be sure to substitute literals, like the hostname.

richgalloway · ‎07-23-2019

Just guessing, but perhaps it's because you have a token called 'host' as well as a field (created by rex) called 'host'.

---
If this reply helps you, Karma would be appreciated.

Timechart not populating the result

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability