Splunk Search

Why is dashboard report search unable to read from time picker?

neerajs_81
Builder

Hi All, 
My Dashboard panel which calls a report search is showing "Search did not return any events." When i click on the magnifying glass icon and run the search manually, it displays the results without any issues.  Please advise what could be wrong in the XML form.  I am ensuring to use <form> </form> 

 

 

<form version="1.1">
  <label>SLA Metrics</label>
  <fieldset autoRun="true" submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <title>MTTA - Mean Time to Acknowledge</title>
        <search ref="MHE - Mean Time to Acknowledge">
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="list.drilldown">none</option>
      </event>
    </panel>
  </row>
</form>

 

 

 

neerajs_81_0-1675241698667.png

 

I have referenced https://community.splunk.com/t5/Splunk-Search/Using-time-range-picker-does-not-work-in-dashboard-whe... and as far as i can tell,  my xml code is in line with what is the solution in the post.  Please assist.

Labels (1)
Tags (1)
0 Karma
1 Solution

PaulPanther
Builder

Hmm, okay. That's weird.

To add the search query that is used in your report. Go to "Reports", Click on the Report Name and then choose "Add to dashboard". There you have the option add the report as an inline search.

PaulPanther_0-1675251217892.png

 

View solution in original post

PaulPanther
Builder

I guess the report is scheduled, right? If that the case you can't use the timepicker. If you remove the schedule from the saved search, then the "earliest" and "latest" tags will be applied in the dashboard.

So you have three options:

1. Use the search query in your dashboard

2. Reference the scheduled report without timestamp tags

3. Deactivate the Schedule and use the report with timestamp tags

 

neerajs_81
Builder

Thanks for responding. No the report is not scheduled and thats the odd part. Screenshot below.  In the Classic Dashboard, i don't see any option to enter the search query directly .  It is mandatory to select an Input and then under inputs i end up selecting my Report. 

neerajs_81_0-1675251000405.png

 

0 Karma

PaulPanther
Builder

Hmm, okay. That's weird.

To add the search query that is used in your report. Go to "Reports", Click on the Report Name and then choose "Add to dashboard". There you have the option add the report as an inline search.

PaulPanther_0-1675251217892.png

 

neerajs_81
Builder

That worked. Thank you.  Sorry for the late response.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...