Splunk Search

Why am I unable to add my search to a dashboard panel?

Contributor

I am using the following search to get all indexes and sourcetypes. But I am unable to add the search to a dashboard panel. XML seems to escape the text correctly but doesn't bring back any results.

| eventcount summarize=false index=* index!=_* | dedup index | fields index 
     | map maxsearches=100 search="| metadata type=sourcetypes index=\"$index$\" | eval retention=tostring(abs(lastTime-firstTime), \"duration\") | convert ctime(firstTime) ctime(lastTime) | sort lastTime | rename totalCount AS \"TotalEvents\" firstTime AS \"FirstEvent\" lastTime AS \"LastEvent\" | eval index=\"$index$\"" | rename index as "Index" "sourcetype" as "SourceType" | fields Index  SourceType TotalEvents FirstEvent LastEvent
0 Karma
1 Solution

Super Champion

try this:

<form>
  <label>test2</label>
  <fieldset submitButton="false">
    <input type="radio" token="index">
      <label>index</label>
      <choice value="\&quot;$index$\&quot;">all</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| eventcount summarize=false index=* index!=_* | dedup index | fields index 
      | map maxsearches=100 search="| metadata type=sourcetypes index=\"$index$\" | eval retention=tostring(abs(lastTime-firstTime), \"duration\") | convert ctime(firstTime) ctime(lastTime) | sort lastTime | rename totalCount AS \"TotalEvents\" firstTime AS \"FirstEvent\" lastTime AS \"LastEvent\" | eval index=\"$index$\"" | rename index as "Index" "sourcetype" as "SourceType" | fields Index  SourceType TotalEvents FirstEvent LastEvent</query>
          <earliest>-3d@d</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

View solution in original post

Super Champion

try this:

<form>
  <label>test2</label>
  <fieldset submitButton="false">
    <input type="radio" token="index">
      <label>index</label>
      <choice value="\&quot;$index$\&quot;">all</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| eventcount summarize=false index=* index!=_* | dedup index | fields index 
      | map maxsearches=100 search="| metadata type=sourcetypes index=\"$index$\" | eval retention=tostring(abs(lastTime-firstTime), \"duration\") | convert ctime(firstTime) ctime(lastTime) | sort lastTime | rename totalCount AS \"TotalEvents\" firstTime AS \"FirstEvent\" lastTime AS \"LastEvent\" | eval index=\"$index$\"" | rename index as "Index" "sourcetype" as "SourceType" | fields Index  SourceType TotalEvents FirstEvent LastEvent</query>
          <earliest>-3d@d</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

View solution in original post

Contributor

With this query, is it possible to filter on both indexes and sourcetypes? So the above query lists all indexes and sourcetype....I have those in hundreds.

0 Karma

Super Champion

you could change/add to the input to filter, I believe.

0 Karma

Contributor

I opened up a separate question for my filters. Thanks!

0 Karma

Contributor

How I hide the input?

0 Karma

Super Champion

add this to the form statement

<form hideFilters="true">
0 Karma

Super Champion

Do you have the input created correctly? I added this to a dashboard panel exactly as written and added in an input for index and it seems to work just fine.

0 Karma

Contributor

Oh, I see the data after adding the input. But do I get to display it all indexes and sourcetypes

0 Karma

Super Champion

it's seeing the | metadata type=sourcetypes index=\"$index$\" and | eval index=\"$index$\"" as a token. Just add an input and just have it always set to * if wanted.

0 Karma

Contributor

I am unable to set it to "*"

0 Karma

Path Finder

Hello,

I am unsure of how to add the correct FirstEvent and LastEvent time in, but for the search in which you are looking for, I would use a tstats command similar to below to return the desired results.

To group every sourcetype by its index use the search below:

 | tstats count WHERE index=* by index sourcetype

To group the sourcetypes by index use the below search:

 | tstats count values(sourcetype) WHERE index=* by index

With this search it should populate your dashboard without a problem. You would just have to further investigate adding the first and last event times.

0 Karma

Contributor

The only problem is tstats command is timebound. In order to look for all indexes and sourcetypes, I have select "All Time" which is taking lot of time to return the results.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!