Hi, thank you for looking at my post.
I actually found the solution here, so I moved the "Search Templates" between the tags.
So my final code was:
<form>
<label>Splunk User Activity Monitoring</label>
<!-- define master search template, with replacement tokens delimited with $ -->
<fieldset>
<!-- Define a simple dropdown form driven by a search -->
<input type="time" token="timerange">
<label>Select the Time Range</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="author">
<label>Select a User</label>
<search>
<query>|rest /services/search/jobs earliest=$timerange.earliest$ latest=$timerange.latest$ |search NOT (author="splunk-system-user" OR author="monitoring") |search title!="" |stats count by author</query>
</search>
<choice value="*">Any</choice>
<fieldForLabel>author</fieldForLabel>
<fieldForValue>author</fieldForValue>
</input>
</fieldset>
<row>
<panel>
<table>
<searchTemplate>|rest /services/search/jobs
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!=""
|search author =$author$
|addtotals fieldname=duration *duration_secs
|convert rmunit(duration) as numSecs
|eval stringSecs=tostring(duration,"duration")
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")
|rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\."
|eval stringSecs=myRest. "s " .ms. "ms"
|eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24))
|eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(earliestTime)
|eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(latestTime)
|eval daterange= "From: ".earliestTime.", To: ".latestTime
|makemv delim=", " daterange
|sort +author
|table author eai:acl.app title daterange NoOfDays stringSecs
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"</searchTemplate>
<title>Splunk Searches Performed - Results for $author$</title>
<option name="count">50</option>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Searches With The Query Time Range Greater Than or Equal To 90 Days</title>
<searchTemplate>|rest /services/search/jobs
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!=""
|search author =$author$
|addtotals fieldname=duration *duration_secs
|convert rmunit(duration) as numSecs
|eval stringSecs=tostring(duration,"duration")
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")
|rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\."
|eval stringSecs=myRest. "s " .ms. "ms"
|eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24))
|where NoOfDays>=90 |eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(earliestTime)
|eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(latestTime)
|eval daterange= "From: ".earliestTime.", To: ".latestTime
|makemv delim=", " daterange
|sort +author
|table author eai:acl.app title daterange NoOfDays stringSecs
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"</searchTemplate>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="drilldown">cell</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Searches Taking Longer Than 5 Minutes To Complete</title>
<searchTemplate>|rest /services/search/jobs
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!=""
|search author =$author$
|addtotals fieldname=duration *duration_secs
|where duration>=300
|convert rmunit(duration) as numSecs
|eval stringSecs=tostring(duration,"duration")
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")
|rex field=stringSecs "\.(?<ms>\d{2})"
| rex field=stringSecs "(?<myRest>.+)s\."
|eval stringSecs=myRest. "s " .ms. "ms"
|sort +author
|table author eai:acl.app title stringSecs
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", stringSecs as "Query Runtime"</searchTemplate>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="drilldown">cell</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
</table>
</panel>
</row>
</form>
Kind Regards
Chris
... View more