Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

help to display a timechart after a loadjob command

jip31
Motivator
‎10-22-2019 11:49 PM

hello

I call a timechart from a loadjob command like below and it works

| loadjob savedsearch="admin:toto_sh:win timechart2"

But I need to filter the events of my timechart by host because I use a text entry in my dashboard
Do I have to put the timechart count after the loadjob command like below or something else?

| loadjob savedsearch="admin:TOTO_sh:winevent timechart2" 
| search host=$tok_filterhost$ 
| timechart count by sourcetype limit=10 useother=false

thanks for your help

0 Karma
Reply

alexforkosh
New Member
‎10-23-2019 09:01 AM

try loadjob with events argument set to true.

loadjob events=true savedsearch="admin:TOTO_sh:winevent timechart2"

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-23-2019 12:09 AM

@jip31

timechart will work only if your below search results has _time fields. Is this search has _time?

| loadjob savedsearch="admin:TOTO_sh:winevent timechart2"
| search host=$tok_filterhost$

0 Karma
Reply

jip31
Motivator
‎10-23-2019 03:47 AM

Hi no
you can see my search below
perfmon earliest=-7d latest=now
| search host=$tok_filterhost$
| timechart count by sourcetype limit=10 useother=false

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-23-2019 06:33 AM

This search should work. Because I don't see any restriction on _time field. Is that possible to share more details about both searches ?

0 Karma
Reply

jip31
Motivator
‎10-23-2019 11:18 PM

Pearhaps I am not clear
The search below works fine :

perfmon earliest=-7d latest=now
| search host=$tok_filterhost$
| timechart count by sourcetype limit=10 useother=false

But I need to transform it in a scheduled search in order to call it from my dashboard and to be able to display the resulys for a specific host from a text entry
So I have deleted | search host=$tok_filterhost$ in my scheduled search and I have added

| loadjob savedsearch="admin:TOTO_sh:winevent timechart2" | search host=$tok_filterhost$

in my dashboard
But with this, I am unable to filter the resulys by host...
The scheduled search works fine if I delete | search host=$tok_filterhost$
So I try to find a solution...

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...