When you visit a dashboard the panels/chart are all at a predefined size, but you now have the option to make the height of the chart bigger, by dragging them to a size that you want. Is there anyway you can control this size so it remains a certain height, each time you visit the dashboard? I am hoping it can be done in XML? But maybe I need css/html... ... View more

I have a search that gives me a number of columns in the stats field. max(col1) max(col2) ... 1 2 ... Can I replace the brackets in the column/field names with underscore? max_col1_ max_col2_ ... 1 2 ... I have looked at replace but that seems to work on the values in the field as opposed to the fieldname. I am looking for a generic way to do it as apposed to go through each field. ... View more

I have 2 searches that I am appending that looks something like search1 | append [search search2] and basically search 1 has data for 6 months e.g. Jan-Jun and search 2 has data for 6 months e.g.Jun-Nov. Can I control search1 to search for all dates up to June 15th at midnight using latest? And can I control search2 to search for all dates from June 15th at midnight using earliest? This way from a graphing point of view they all line up. This way my earch would look something like search1 latest=20140615 | append [search search2 earliest=20140616 ] NOTE I have asked this Q before but sollution I found then was starttime= 03/16/2015:00:00:00 but that is now deprecated so I am looking for a better solution. ... View more

Regarding starttime from the docs starttime starttime=<timestamp> Search from the specified date and time to the present (inclusive of the specified time). What format should `` be in? I have got this working starttime= 04/27/2015:00:00:00 , that is mm/dd/yyyy, but I am seeing strange results, possibly duplicates in data. Can anyone advise? For my reference this is in relation to this Q ... View more

Has anyone had any experience, getting different results depending on the date modifiers used to control the dates? I have a basic search that seems to give different results depending on the date selectors I use. I want to be able to control the date within the search because I am trying to join different searches together, but when I use it, I get different results as I show below: I expect 2 and 3 to be the right answer. no - day & value - time modifier in search - time range selected from the drop-down - no of events for the 7th Feb 1 - 7 feb 2016 27410.63 - no time modifier in the search - all time selected in the presets drop-down time selector - ?? events 1A - 7 feb 2016 32304.73 - no time modifier in the search - Last 30 Days selected in the presets dropdown time selector - 192 events 2 - 7 feb 2016 16152.36 - no time modifier in the search - Date-range from the drop-down time selector between 01/02/2016 and 29/02/2016 selected - 96 events 3 - 7 feb 2016 16152.36 - no time modifier in the search - Date-range from the drop-down time selector between 07/02/2016 and 07/02/2016 selected - 96 events 4 - 7 feb 2016 32304.73 - earliest=-30d in the search - all time selected in the presets drop-down time selector - 192 events 5 - 7 feb 2016 32304.73 - starttime= 01/01/2016:00:00:00 in the search - all time selected in the presets dropdown time selector - 192 events But I am not sure why I am getting the others? For instance 16152.36 is the answer I would expect for 7 feb and this can be achieved using 2 & 3 above (using the Date-range from the drop-down time selector) but I get double the answer 32304.73 when I include a date modifier in the search(which is what I want to be able to do). (Also this happens for a 2 week period, and other periods are okay. And within this 2 week period it is not always double) Also, with no 1 search above, i get a different answer altogether (27410.63 all time selected in the presets drop-down time selector) So basically is the data stored doubled in places? If so why does it not appear when I use the drop-down time selector? Really appreciate any help/pointers. The above table can be explained as follows: no - the search no. day & value - the value of the chosen field for a specific date time modifier in search - the time modifier I want to use to control in the search e.g. earliest=-30d , starttime= 01/01/2016:00:00:00 time range selected from the dropdown - the time range selected using the dropdown date picker in the top right of the search bar no of events for the 7th Feb - this is the number of events seen on the 7th feb My search looks like this (when I want to control the dates searched I use earliest=-30d , starttime= 01/01/2016:00:00:00 and place it after duration=PT3600S and befor the | pipe): index=core host="snzclakl598" elementType=UGW measObjLdn=*"/UGW Function:"* measInfoId=134221229 OR measInfoId=138412032 duration=PT3600S | eval c138412090_KB_MB=c138412090/1000 | eval c138412094_KB_MB=c138412094/1000 | timechart span=d sum(c134686691) AS "Gi downlink traffic in MB" sum(c134686689) AS "Gi uplink traffic in MB" sum(c138412090_KB_MB) AS "SGi downlink user traffic in MB" sum(c138412094_KB_MB) AS "SGi uplink user traffic in MB" | addtotals fieldname=GiTotalAmount_MB Gi* | addtotals fieldname=SGiTotalAmount_MB SGi* | eval GiTotalAmount_GB=GiTotalAmount_MB*1000000/1024/1024/1024 | eval SGiTotalAmount_GB=SGiTotalAmount_MB*1000000/1024/1024/1024 | fields + _time SGiTotalAmount_GB GiTotalAmount_GB ... View more