Solved: Re: Why am I unable to add my search to a dashboar...

jagadeeshm · ‎01-25-2017

I am using the following search to get all indexes and sourcetypes. But I am unable to add the search to a dashboard panel. XML seems to escape the text correctly but doesn't bring back any results.

| eventcount summarize=false index=* index!=_* | dedup index | fields index 
     | map maxsearches=100 search="| metadata type=sourcetypes index=\"$index$\" | eval retention=tostring(abs(lastTime-firstTime), \"duration\") | convert ctime(firstTime) ctime(lastTime) | sort lastTime | rename totalCount AS \"TotalEvents\" firstTime AS \"FirstEvent\" lastTime AS \"LastEvent\" | eval index=\"$index$\"" | rename index as "Index" "sourcetype" as "SourceType" | fields Index  SourceType TotalEvents FirstEvent LastEvent

cmerriman · ‎01-26-2017

try this:

<form>
  <label>test2</label>
  <fieldset submitButton="false">
    <input type="radio" token="index">
      <label>index</label>
      <choice value="\&quot;$index$\&quot;">all</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| eventcount summarize=false index=* index!=_* | dedup index | fields index 
      | map maxsearches=100 search="| metadata type=sourcetypes index=\"$index$\" | eval retention=tostring(abs(lastTime-firstTime), \"duration\") | convert ctime(firstTime) ctime(lastTime) | sort lastTime | rename totalCount AS \"TotalEvents\" firstTime AS \"FirstEvent\" lastTime AS \"LastEvent\" | eval index=\"$index$\"" | rename index as "Index" "sourcetype" as "SourceType" | fields Index  SourceType TotalEvents FirstEvent LastEvent</query>
          <earliest>-3d@d</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

View solution in original post

cmerriman · ‎01-26-2017

try this:

<form>
  <label>test2</label>
  <fieldset submitButton="false">
    <input type="radio" token="index">
      <label>index</label>
      <choice value="\&quot;$index$\&quot;">all</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| eventcount summarize=false index=* index!=_* | dedup index | fields index 
      | map maxsearches=100 search="| metadata type=sourcetypes index=\"$index$\" | eval retention=tostring(abs(lastTime-firstTime), \"duration\") | convert ctime(firstTime) ctime(lastTime) | sort lastTime | rename totalCount AS \"TotalEvents\" firstTime AS \"FirstEvent\" lastTime AS \"LastEvent\" | eval index=\"$index$\"" | rename index as "Index" "sourcetype" as "SourceType" | fields Index  SourceType TotalEvents FirstEvent LastEvent</query>
          <earliest>-3d@d</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

jagadeeshm · ‎01-26-2017

With this query, is it possible to filter on both indexes and sourcetypes? So the above query lists all indexes and sourcetype....I have those in hundreds.

cmerriman · ‎01-26-2017

you could change/add to the input to filter, I believe.

jagadeeshm · ‎01-26-2017

I opened up a separate question for my filters. Thanks!

jagadeeshm · ‎01-26-2017

How I hide the input?

cmerriman · ‎01-27-2017

add this to the form statement

<form hideFilters="true">

cmerriman · ‎01-26-2017

Do you have the input created correctly? I added this to a dashboard panel exactly as written and added in an input for index and it seems to work just fine.

jagadeeshm · ‎01-26-2017

Oh, I see the data after adding the input. But do I get to display it all indexes and sourcetypes

cmerriman · ‎01-26-2017

it's seeing the | metadata type=sourcetypes index=\"$index$\" and | eval index=\"$index$\"" as a token. Just add an input and just have it always set to * if wanted.

jagadeeshm · ‎01-26-2017

I am unable to set it to "*"

bmo017 · ‎01-25-2017

Hello,

I am unsure of how to add the correct FirstEvent and LastEvent time in, but for the search in which you are looking for, I would use a tstats command similar to below to return the desired results.

To group every sourcetype by its index use the search below:

 | tstats count WHERE index=* by index sourcetype

To group the sourcetypes by index use the below search:

 | tstats count values(sourcetype) WHERE index=* by index

With this search it should populate your dashboard without a problem. You would just have to further investigate adding the first and last event times.

jagadeeshm · ‎01-26-2017

The only problem is tstats command is timebound. In order to look for all indexes and sourcetypes, I have select "All Time" which is taking lot of time to return the results.

Why am I unable to add my search to a dashboard panel?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...