- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why am I getting different Results when using ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am Trying to build a Dashboard based on the below search with a drop down picker for time span and a drop down Button for sourcetype. When I ran the search without the pickers it runs great I get multiple actions log in, log out, and Null to name a few. But When I use the search with time pickers the only action column I get is null. I have checked answers and the docs but I am unable to figure out why the other columns are not showing up when I use the picker/tokens in the search.
Base Search:
sourcetype="YYY_XXX"
|timechart span=15m count by Action limit=0
Dashboard search with Tokens:
?CU?
|timechart $Span$ count by Action limit=0
Dashborad XML
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@tnoelOTS, I think you meant $CU$ in your code not ?CU?. Nevertheless, only if correct field name Action is not picked up by any sourcetype the timechart command would show NULL field alone.
Following is a run anywhere dashboard based on three sourcetypes from Splunk's _internal index i.e. splunkd_access, splunkd_ui_access, splunk_web_access with common field called method available in all three.
I have just added default values for CU and Span dropdown and added a Time Picker. PS: default value of space in Span implies Splunk will pick up span based on selected timerange.
<form>
<label>Dashboard with tokens</label>
<fieldset submitButton="false" autoRun="false">
<input type="dropdown" token="CU" searchWhenChanged="true">
<label>Credit Union</label>
<choice value="*">all</choice>
<choice value="splunkd">Splunk</choice>
<choice value="splunkd_ui">Splunkd UI</choice>
<choice value="splunk_web">Splunkd Web</choice>
<suffix>_access"</suffix>
<prefix>sourcetype="</prefix>
<default>*</default>
</input>
<input type="time" token="tokTime" searchWhenChanged="true">
<label>Time</label>
<default>
<earliest>-4h@m</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="Span" searchWhenChanged="true">
<label>Span</label>
<choice value=" ">Default</choice>
<choice value="span=1m">1 min</choice>
<choice value="span=5m">5 min</choice>
<choice value="span=10m">10 min</choice>
<choice value="span=20m">20 min</choice>
<choice value="span=1h">1 hour</choice>
<choice value="span=2h">2 hour</choice>
<default> </default>
</input>
</fieldset>
<row>
<panel>
<chart>
<search>
<query>index=_internal $CU$
| timechart $Span$ count by method</query>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
</form>
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@tnoelOTS, I think you meant $CU$ in your code not ?CU?. Nevertheless, only if correct field name Action is not picked up by any sourcetype the timechart command would show NULL field alone.
Following is a run anywhere dashboard based on three sourcetypes from Splunk's _internal index i.e. splunkd_access, splunkd_ui_access, splunk_web_access with common field called method available in all three.
I have just added default values for CU and Span dropdown and added a Time Picker. PS: default value of space in Span implies Splunk will pick up span based on selected timerange.
<form>
<label>Dashboard with tokens</label>
<fieldset submitButton="false" autoRun="false">
<input type="dropdown" token="CU" searchWhenChanged="true">
<label>Credit Union</label>
<choice value="*">all</choice>
<choice value="splunkd">Splunk</choice>
<choice value="splunkd_ui">Splunkd UI</choice>
<choice value="splunk_web">Splunkd Web</choice>
<suffix>_access"</suffix>
<prefix>sourcetype="</prefix>
<default>*</default>
</input>
<input type="time" token="tokTime" searchWhenChanged="true">
<label>Time</label>
<default>
<earliest>-4h@m</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="Span" searchWhenChanged="true">
<label>Span</label>
<choice value=" ">Default</choice>
<choice value="span=1m">1 min</choice>
<choice value="span=5m">5 min</choice>
<choice value="span=10m">10 min</choice>
<choice value="span=20m">20 min</choice>
<choice value="span=1h">1 hour</choice>
<choice value="span=2h">2 hour</choice>
<default> </default>
</input>
</fieldset>
<row>
<panel>
<chart>
<search>
<query>index=_internal $CU$
| timechart $Span$ count by method</query>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
</form>
| makeresults | eval message= "Happy Splunking!!!"
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
