Splunk Search

Why is dashboard report search unable to read from time picker?

neerajs_81
Builder

Hi All, 
My Dashboard panel which calls a report search is showing "Search did not return any events." When i click on the magnifying glass icon and run the search manually, it displays the results without any issues.  Please advise what could be wrong in the XML form.  I am ensuring to use <form> </form> 

 

 

<form version="1.1">
  <label>SLA Metrics</label>
  <fieldset autoRun="true" submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <title>MTTA - Mean Time to Acknowledge</title>
        <search ref="MHE - Mean Time to Acknowledge">
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="list.drilldown">none</option>
      </event>
    </panel>
  </row>
</form>

 

 

 

neerajs_81_0-1675241698667.png

 

I have referenced https://community.splunk.com/t5/Splunk-Search/Using-time-range-picker-does-not-work-in-dashboard-whe... and as far as i can tell,  my xml code is in line with what is the solution in the post.  Please assist.

Labels (1)
Tags (1)
0 Karma
1 Solution

PaulPanther
Motivator

Hmm, okay. That's weird.

To add the search query that is used in your report. Go to "Reports", Click on the Report Name and then choose "Add to dashboard". There you have the option add the report as an inline search.

PaulPanther_0-1675251217892.png

 

View solution in original post

PaulPanther
Motivator

I guess the report is scheduled, right? If that the case you can't use the timepicker. If you remove the schedule from the saved search, then the "earliest" and "latest" tags will be applied in the dashboard.

So you have three options:

1. Use the search query in your dashboard

2. Reference the scheduled report without timestamp tags

3. Deactivate the Schedule and use the report with timestamp tags

 

neerajs_81
Builder

Thanks for responding. No the report is not scheduled and thats the odd part. Screenshot below.  In the Classic Dashboard, i don't see any option to enter the search query directly .  It is mandatory to select an Input and then under inputs i end up selecting my Report. 

neerajs_81_0-1675251000405.png

 

0 Karma

PaulPanther
Motivator

Hmm, okay. That's weird.

To add the search query that is used in your report. Go to "Reports", Click on the Report Name and then choose "Add to dashboard". There you have the option add the report as an inline search.

PaulPanther_0-1675251217892.png

 

neerajs_81
Builder

That worked. Thank you.  Sorry for the late response.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...