Splunk Search

Why am I unable to add my search to a dashboard panel?

jagadeeshm
Contributor

I am using the following search to get all indexes and sourcetypes. But I am unable to add the search to a dashboard panel. XML seems to escape the text correctly but doesn't bring back any results.

| eventcount summarize=false index=* index!=_* | dedup index | fields index 
     | map maxsearches=100 search="| metadata type=sourcetypes index=\"$index$\" | eval retention=tostring(abs(lastTime-firstTime), \"duration\") | convert ctime(firstTime) ctime(lastTime) | sort lastTime | rename totalCount AS \"TotalEvents\" firstTime AS \"FirstEvent\" lastTime AS \"LastEvent\" | eval index=\"$index$\"" | rename index as "Index" "sourcetype" as "SourceType" | fields Index  SourceType TotalEvents FirstEvent LastEvent
0 Karma
1 Solution

cmerriman
Super Champion

try this:

<form>
  <label>test2</label>
  <fieldset submitButton="false">
    <input type="radio" token="index">
      <label>index</label>
      <choice value="\&quot;$index$\&quot;">all</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| eventcount summarize=false index=* index!=_* | dedup index | fields index 
      | map maxsearches=100 search="| metadata type=sourcetypes index=\"$index$\" | eval retention=tostring(abs(lastTime-firstTime), \"duration\") | convert ctime(firstTime) ctime(lastTime) | sort lastTime | rename totalCount AS \"TotalEvents\" firstTime AS \"FirstEvent\" lastTime AS \"LastEvent\" | eval index=\"$index$\"" | rename index as "Index" "sourcetype" as "SourceType" | fields Index  SourceType TotalEvents FirstEvent LastEvent</query>
          <earliest>-3d@d</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

View solution in original post

cmerriman
Super Champion

try this:

<form>
  <label>test2</label>
  <fieldset submitButton="false">
    <input type="radio" token="index">
      <label>index</label>
      <choice value="\&quot;$index$\&quot;">all</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| eventcount summarize=false index=* index!=_* | dedup index | fields index 
      | map maxsearches=100 search="| metadata type=sourcetypes index=\"$index$\" | eval retention=tostring(abs(lastTime-firstTime), \"duration\") | convert ctime(firstTime) ctime(lastTime) | sort lastTime | rename totalCount AS \"TotalEvents\" firstTime AS \"FirstEvent\" lastTime AS \"LastEvent\" | eval index=\"$index$\"" | rename index as "Index" "sourcetype" as "SourceType" | fields Index  SourceType TotalEvents FirstEvent LastEvent</query>
          <earliest>-3d@d</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

jagadeeshm
Contributor

With this query, is it possible to filter on both indexes and sourcetypes? So the above query lists all indexes and sourcetype....I have those in hundreds.

0 Karma

cmerriman
Super Champion

you could change/add to the input to filter, I believe.

0 Karma

jagadeeshm
Contributor

I opened up a separate question for my filters. Thanks!

0 Karma

jagadeeshm
Contributor

How I hide the input?

0 Karma

cmerriman
Super Champion

add this to the form statement

<form hideFilters="true">
0 Karma

cmerriman
Super Champion

Do you have the input created correctly? I added this to a dashboard panel exactly as written and added in an input for index and it seems to work just fine.

0 Karma

jagadeeshm
Contributor

Oh, I see the data after adding the input. But do I get to display it all indexes and sourcetypes

0 Karma

cmerriman
Super Champion

it's seeing the | metadata type=sourcetypes index=\"$index$\" and | eval index=\"$index$\"" as a token. Just add an input and just have it always set to * if wanted.

0 Karma

jagadeeshm
Contributor

I am unable to set it to "*"

0 Karma

bmo017
Path Finder

Hello,

I am unsure of how to add the correct FirstEvent and LastEvent time in, but for the search in which you are looking for, I would use a tstats command similar to below to return the desired results.

To group every sourcetype by its index use the search below:

 | tstats count WHERE index=* by index sourcetype

To group the sourcetypes by index use the below search:

 | tstats count values(sourcetype) WHERE index=* by index

With this search it should populate your dashboard without a problem. You would just have to further investigate adding the first and last event times.

0 Karma

jagadeeshm
Contributor

The only problem is tstats command is timebound. In order to look for all indexes and sourcetypes, I have select "All Time" which is taking lot of time to return the results.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...