Activity Feed
- Posted Re: Back fill of data in timerange on Splunk Search. 03-03-2025 03:49 AM
- Posted Re: Back fill of data in timerange on Splunk Search. 03-03-2025 03:21 AM
- Posted Back fill of data in timerange on Splunk Search. 03-03-2025 02:16 AM
- Posted Re: Display Dashboard in Stacked row on Splunk Search. 02-11-2025 03:41 AM
- Posted Display Dashboard in Stacked row on Splunk Search. 02-11-2025 03:29 AM
- Posted Re: How to use substr or regex to extract part of text on Splunk Search. 02-07-2025 03:34 AM
- Karma Re: Adding zoom in option to timeline chart for ITWhisperer. 02-07-2025 02:11 AM
- Posted Re: Passing a mutiple values of label in input dropdown on Splunk Search. 12-08-2024 11:05 PM
- Posted Re: Passing a mutiple values of label in input dropdown on Splunk Search. 12-05-2024 08:43 PM
- Posted Passing a mutiple values of label in input dropdown on Splunk Search. 12-04-2024 08:11 PM
- Posted Issues in multiselect input dropdown on Splunk Search. 12-04-2024 02:03 AM
- Karma Re: Adding zoom in option to timeline chart for bowesmana. 11-14-2024 08:55 PM
- Posted Re: Adding zoom in option to timeline chart on Splunk Search. 11-14-2024 01:17 AM
- Posted Adding zoom in option to timeline chart on Splunk Search. 11-13-2024 04:11 AM
- Posted Dowloading results of table to .csv file on Splunk Search. 11-12-2024 04:01 AM
- Karma Re: unset the inputput dropdown to default for ITWhisperer. 11-11-2024 07:11 PM
- Posted unset the inputput dropdown to default on Splunk Search. 11-11-2024 03:18 AM
- Karma Re: Finding the length of multivalue/singlevalue field for zksvc. 11-11-2024 03:14 AM
- Posted Re: Finding the length of multivalue/singlevalue field on Splunk Search. 11-04-2024 10:23 PM
- Posted Re: Finding the length of multivalue/singlevalue field on Splunk Search. 11-04-2024 07:25 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-03-2025
03:49 AM
Hello @ITWhisperer , Thanks for asking! You are right.., It will be like, the next event will be received within 3 days, it wont take more time at wrost cases. I'm using those values in the chart, when we are searching with less time range, I can't see the logs of the timerange in that time range because of the gap in logs, I have listed two scenarious, As per the scenario1, The perevious value is just a opposite value of the next one. Scenario 2 is bit hard, having multiple values, which can be generated before 3 days at wrost cases. Thansk!
... View more
03-03-2025
03:21 AM
Hello @ITWhisperer , Thanks for your reply. 17:54:01 - System reset 22:09:04 - System Stop 23:01:01 - System Started 01:01:01 - System Stop In case of from 21:00, I need to take as System reset and followed by other values. Actually I just need to fill the value, even the logs weren't there in teh selcted timerange. Thanks!
... View more
03-03-2025
02:16 AM
Hello Splunkers, I'm having a logs which will be generated only where there is change in system, 6:01:01 - System Stop 10:54:01 - System Start 13:09:04 - System Stop 16:01:01 - System Start 17:01:01 - System Stop These are the logs. Lets say If I'm searchit it in a chart, for the timerange from 7Am - 4Pm the chart from 8Am until 10:54:01 Am is empty since the previous event was generated at 6:01:01, so there is a gap. I would like to fix this. In some cases only 2 values is been repeated, so we can take the one in present, the past can be its opposite. Eg - At 10:54:01 - System Start, We have received this log, where the system is start, the previous one will be stop. These are fixed for some cased, I need two best solutions, only for this scenario, other for multiple values, like these 14:01:01 - System Started 17:54:01 - System reset 22:09:04 - System Stop 23:01:01 - System Started 01:01:01 - System Stop wheres here I'm getting three values like Started, Stop and reset. Thanks in Advance!
... View more
02-11-2025
03:41 AM
Hi @livehybrid , Thanks for your response! The panels in right side weren't visible <row> <panel> <title>Panel 1</title> <table> <search> <query>| makeresults | eval name="p1"</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> </table> </panel> <column> <row> <panel> <title>Panel 2</title> <table> <search> <query>| makeresults | eval name="p2"</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel> <title>Panel 3</title> <table> <search> <query>| makeresults | eval name="p3"</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </column> </row> Please try this. Thanks!
... View more
02-11-2025
03:29 AM
Hello There, I'm having 3 panles, where i need to display panel 1 in left side, In the same row I need to display Panle 2 and Panel 3 in left side in a stacked way. Is there is possibel way in Classic dashboard in Splunk? | Left | Top-Right | | Panel |---------- | | | Bot-Right| Looking forward for the resposne. Thanks!
... View more
02-07-2025
03:34 AM
Hello @vvkarur , You can try this regex | rex field=_raw "\"role\":\"(?<field_name>\w+)\"" Thanks!
... View more
12-08-2024
11:05 PM
Hi @yuanliu ,
Thanks for your reply. Sorry for not briefing it properly. 1. data input is from lookup site_ids.csv is displayname prefix abc12 23456789
qwe14 78945612
rty12 12356789
yuui13 56897412 Here I need to display displayname field value in input dropdown as a multi select value, also I would like to pass label that is prefix to my search as well. lets say, If i select displayname fields values as
abc12
qwe14
rty12 I need to see these values in input dropdown and need to pass the below prefix to the search in dashboard panel
23456789 78945612 12356789 as ("23456789", "78945612","12356789 "), which needs to be used in IN command Here is the search where i will be using the prefix token in search
index=abc sourcetype=sc*
| fields _time index Eventts FIELD* source IPC
| search IPC IN ($my_token$)
| fields - source
Hope I'm clear now, please let me know if there are anything. Thanks!
... View more
12-05-2024
08:43 PM
Hello @yuanliu , Thanks for your reply. Already the query of input dropdown can pass multiselect values, here I'm having two field values one id for field for label and another one is for field for value. I need to pass field for value to the search, which is working fine in the current search, But i need to pass field for label values to the search, where us its a multi select values. Please let me know if i missed anything. Thanks!
... View more
12-04-2024
08:11 PM
Hello There, I would like to pass mutiple values in label, Where in the current search i can able to pass onlu one values at a time,
<input type="multiselect" token="siteid" searchWhenChanged="true">
<label>Site</label>
<choice value="*">All</choice>
<choice value="03">No Site Selected</choice>
<fieldForLabel>displayname</fieldForLabel>
<fieldForValue>prefix</fieldForValue>
<search>
<query>
| inputlookup site_ids.csv
|search displayname != "ABCN8" AND displayname != "ABER8" AND displayname != "AFRA7" AND displayname != "AMAN2"
</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<delimiter>_fc7 OR index=</delimiter>
<suffix>_fc7</suffix>
<default>03</default>
<initialValue>03</initialValue>
<change>
<eval token="form.siteid">case(mvcount('form.siteid') == 2 AND mvindex('form.siteid', 0) == "03", mvindex('form.siteid', 1), mvfind('form.siteid', "\\*") == mvcount('form.siteid') - 1, "03", true(), 'form.siteid')</eval>
</change>
<change>
<set token="tokLabel">$label$</set>
</change>
</input>
I need to pass this label value as well, which is a multiselect value. Thanks!
... View more
12-04-2024
02:03 AM
Hello There, I'm hvaing issues in multiselect input dropdown
<input type="multiselect" token="siteid" searchWhenChanged="true">
<label>Site</label>
<choice value="*">All</choice>
<choice value="03">No Site Selected</choice>
<fieldForLabel>displayname</fieldForLabel>
<fieldForValue>prefix</fieldForValue>
<search>
<query>
| inputlookup site_ids.csv
| search displayname != "ABN8" AND displayname != "ABR8" AND displayname != "ABRA7" AND displayname != "ABMAN2"
</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<delimiter>_fc7 OR index=</delimiter>
<suffix>_fc7</suffix>
<default>03</default>
<initialValue>03</initialValue>
<change>
<eval token="form.siteid">case(mvcount('form.siteid') == 2 AND mvindex('form.siteid', 0) == "03", mvindex('form.siteid', 1), mvfind('form.siteid', "\\*") == mvcount('form.siteid') - 1, "03", true(), 'form.siteid')</eval>
</change>
</input>
<input type="multiselect" token="system_number" searchWhenChanged="true">
<label>Node</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>Node</fieldForLabel>
<fieldForValue>sys_number</fieldForValue>
<change>
<eval token="form.system_number">case(mvcount('form.system_number') == 2 AND mvindex('form.system_number', 0) == "*", mvindex('form.system_number', 1), mvfind('form.system_number', "\\*") == mvcount('form.system,_number') - 1, "*", true(), 'form.system_number')</eval>
</change>
<search>
<query>| inputlookup node.csv
| fields site prefix Node sys_number
| eval token_value = "$siteid$"
| eval site_val = if(match(token_value, "OR\s*index="), split(replace(token_value, "\s*OR\s*index=\s*", ","), ","), token_value)
| where prefix=site_val
| dedup Node
| table Node sys_number</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<prefix>"</prefix>
<suffix>"</suffix>
<valueSuffix>","</valueSuffix>
<delimiter> </delimiter>
</input>
the problem here is, I need to have field for label as Node but , When I'm selecting an value in siteid, then selecting a value in Node, after that selecting the secong value in Siteid, the node change its value to sys_number, but actually it should be Node, as we mentioned fields label as Node only but it changes to sys_number. this only happens after selecting any values in Node, if we select values in siteid, the Node behaved wierd. Other eise its fine, Thanks!
... View more
11-14-2024
01:17 AM
Hi @bowesmana & @ITWhisperer ,
Thanks for your reply! I have tried using selection but facing some error even after this warning this is not working. "Invalid child="selection" is not allowed in node="viz" "
<row>
<panel>
<title>status</title>
<viz type="timeline_app.timeline">
<search>
<query>index=$siteid$ sourcetype=logs* CAT IN ("TAT") _raw=*** (NOT CODE=* OR CODE IN ("T11"))
| head 100000
| eval Eventts_date=substr(Eventts,1,10)
| eval Eventts_time=substr(Eventts,12,8)
| eval Eventts_new=Eventts_date." ".Eventts_time
| eval _timee=strptime(Eventts_new,"%Y-%m-%d %H:%M:%S.%6N")
| fillnull value="N/A"
.............................
| eval displayname="Operational".displayname
| table _time displayname FIELD_01 duration
| append
[ search index=$siteid$ sourcetype=FSC* CAT IN ("ST") _raw=*** (NOT CODE=* OR CODE IN ("Ad13"))
| head 100000
| eval Eventts_date=substr(Eventts,1,10)
| eval Eventts_time=substr(Eventts,12,8)
| eval Eventts_new=Eventts_date." ".Eventts_time
| eval _timee=strptime(Eventts_new,"%Y-%m-%d %H:%M:%S.%6N")
..............................
| table _time displayname FIELD_01 duration
]
</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">none</option>
<option name="height">460</option>
<option name="refresh.display">progressbar</option>
<option name="timeline_app.timeline.axisTimeFormat">SECONDS</option>
<option name="timeline_app.timeline.colorMode">categorical</option>
<option name="timeline_app.timeline.maxColor">#DA5C5C</option>
<option name="timeline_app.timeline.minColor">#FFE8E8</option>
<option name="timeline_app.timeline.numOfBins">6</option>
<option name="timeline_app.timeline.tooltipTimeFormat">SECONDS</option>
<option name="timeline_app.timeline.useColors">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<selection>
<set token="selection.earliest">$start$</set>
<set token="selection.latest">$end$</set>
<set token="start.count">$start.count$</set>
<set token="end.count">$end.count$</set>
</selection>
<drilldown><link target="_blank">search?q=
<query>index=$siteid$ sourcetype=FSC* CAT IN ("TAT") _raw=*** (NOT CODE=* OR MARKCODE IN ("TZ11"))
| head 100000
| where _time >= $selection.earliest$ AND _time ?<= $selection.latest$
| eval Eventts_date=substr(Eventts,1,10)
| eval Eventts_time=substr(Eventts,12,8)
| eval Eventts_new=Eventts_date." ".Eventts_time
| eval _timee=strptime(Eventts_new,"%Y-%m-%d %H:%M:%S.%6N")
..................
| table _time displayname FIELD_01 duration
| append
[ search index=$siteid$ sourcetype=FSC* CAT IN ("ST") _raw=*** (NOT CODE=* OR CODE IN ("Ak03"))
| head 100000
| eval Eventts_date=substr(Eventts,1,10)
| eval Eventts_time=substr(Eventts,12,8)
| eval Eventts_new=Eventts_date." ".Eventts_time
| eval _timee=strptime(Eventts_new,"%Y-%m-%d %H:%M:%S.%6N")
............................................
| eval displayname="Maintenance".displayname
| table _time displayname FIELD_01 duration
]
</query></link></drilldown>
</viz>
</panel>
</row>
... View more
11-13-2024
04:11 AM
Hello All, I'm having a timeline chart, I would like to add zoom in to this chart when we drang and select some lines, it needs to zoom. Can anyone hekp to find this. Thanks in Advance!
... View more
Labels
- Labels:
-
chart
11-12-2024
04:01 AM
Hello Splunkers,
I'm getting proper results without any selction in input dropdown, I can able to download the results of that particular table but when I'm making any selection in dahsboard, since its having the base search, its loading results will all fields in base search rather than the fields mentioned in that table. here is the query,
<panel>
<title>Raw Data</title>
<!-- HTML Panel for Spinner -->
<input type="text" token="value" searchWhenChanged="true">
<label>Row Data per Page</label>
<default>20</default>
<initialValue>20</initialValue>
</input>
<input type="radio" token="field3" searchWhenChanged="true">
<label>Condition_1</label>
<choice value="=">Contains</choice>
<choice value="!=">Does Not Contain</choice>
<default>=</default>
<initialValue>=</initialValue>
</input>
<input type="text" token="search" searchWhenChanged="true">
<label>All Fields Search_1</label>
<default>*</default>
<initialValue>*</initialValue>
<prefix>"*</prefix>
<suffix>*"</suffix>
</input>
<input type="checkbox" token="field4">
<label>Add New Condition</label>
<choice value="0">Yes</choice>
</input>
<input type="dropdown" token="field5" searchWhenChanged="true" depends="$field4$">
<label>Expression</label>
<choice value="AND">AND</choice>
<choice value="OR">OR</choice>
<default>AND</default>
<initialValue>AND</initialValue>
</input>
<input type="radio" token="field6" searchWhenChanged="true" depends="$field4$">
<label>Condition_2</label>
<choice value="=">Contains</choice>
<choice value="!=">Does Not Contain</choice>
<default>=</default>
<initialValue>=</initialValue>
</input>
<input type="text" token="search2" searchWhenChanged="true" depends="$field4$">
<label>All Fields Search_2</label>
<default>*</default>
<initialValue>*</initialValue>
<prefix>"*</prefix>
<suffix>*"</suffix>
</input>
<html>
<a class="btn btn-primary" role="button" href="/api/search/jobs/$export_sid$/results?isDownload=true&timeFormat=%25FT%25T.%25Q%25%3Az&maxLines=0&count=0&filename=Event_Logs&outputMode=csv">Download CSV</a>
</html>
<html depends="$showSpinner3$">
<!-- CSS Style to Create Spinner using animation -->
<style>
.loadSpinner {
margin: 0 auto;
border: 5px solid #FFF; /* White BG */
border-top: 5px solid #3863A0; /* Blue */
border-radius: 80%;
width: 50px;
height: 50px;
animation: spin 1s linear infinite;
}
@keyframes spin {
0% { transform: rotate(0deg); }
100% { transform: rotate(360deg); }
}
<!-- CSS override to hide default Splunk Search Progress Bar -->
#panel1 .progress-bar{
visibility: hidden;
}
</style>
<div class="loadSpinner"/>
</html>
<table>
<search base="base_search_index">
<progress>
<!-- Set the token to Show Spinner when the search is running -->
<set token="showSpinner3">true</set>
</progress>
<done>
<!-- Unset the token to Hide Spinner when the search completes -->
<unset token="showSpinner3"></unset>
</done>
<query>| sort _time |eval _raw=displayname.","._raw
| table _raw
| appendpipe
[| stats count
| where count == 0
| eval _raw="No Data Found for selected time and filters"
| table _raw ]</query>
<done>
<set token="export_sid">$job.sid$</set>
</done>
</search>
<option name="count">$value$</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="color" field="_raw">
<colorPalette type="map">{"No Data Found for selected time and filters":#D41F1F}</colorPalette>
</format>
</table>
</panel>
... View more
11-11-2024
03:18 AM
Hello Splunkers,
I have created a input dropdown where i need to reset all input drodpdown irrespective of the selections made to the default value of the fields. Here i can chnage the values that were passed to the search but I weren't unable to change the values that were present in input dropdown.
<input type="radio" token="field3" searchWhenChanged="true">
<label>Condition_1</label>
<choice value="=">Contains</choice>
<choice value="!=">Does Not Contain</choice>
<default>=</default>
<initialValue>=</initialValue>
</input>
<input type="text" token="search" searchWhenChanged="true">
<label>All Fields Search_1</label>
<default>*</default>
<initialValue>*</initialValue>
<prefix>"*</prefix>
<suffix>*"</suffix>
</input>
<input type="checkbox" token="field4">
<label>Add New Condition</label>
<choice value="1">Yes</choice>
</input>
<input type="dropdown" token="field5" searchWhenChanged="true" depends="$field4$" rejects="$reset_all_field_search$">
<label>Expression</label>
<choice value="AND">AND</choice>
<choice value="OR">OR</choice>
<default>AND</default>
<initialValue>AND</initialValue>
</input>
<input type="radio" token="field6" searchWhenChanged="true" depends="$field4$" rejects="$reset_all_field_search$">
<label>Condition_2</label>
<choice value="=">Contains</choice>
<choice value="!=">Does Not Contain</choice>
<default>=</default>
<initialValue>=</initialValue>
</input>
<input type="text" token="search2" searchWhenChanged="true" depends="$field4$" rejects="$reset_all_field_search$">
<label>All Fields Search_2</label>
<default>*</default>
<initialValue>*</initialValue>
<prefix>"*</prefix>
<suffix>*"</suffix>
</input>
<input type="checkbox" token="field14" depends="$field4$">
<label>Add New Condition</label>
<choice value="1">Yes</choice>
</input>
<input type="dropdown" token="field15" searchWhenChanged="true" depends="$field14$" rejects="$reset_all_field_search$">
<label>Expression</label>
<choice value="AND">AND</choice>
<choice value="OR">OR</choice>
<default>AND</default>
<initialValue>AND</initialValue>
</input>
<input type="radio" token="field16" searchWhenChanged="true" depends="$field14$" rejects="$reset_all_field_search$">
<label>Condition_3</label>
<choice value="=">Contains</choice>
<choice value="!=">Does Not Contain</choice>
<default>=</default>
<initialValue>=</initialValue>
</input>
<input type="text" token="search12" searchWhenChanged="true" depends="$field14$" rejects="$reset_all_field_search$">
<label>All Fields Search_3</label>
<default>*</default>
<initialValue>*</initialValue>
<prefix>"*</prefix>
<suffix>*"</suffix>
</input>
<input type="checkbox" token="reset_all_field_search" searchWhenChanged="true">
<label>Reset All field search</label>
<choice value="reset_all_field_search">Yes</choice>
<delimiter> </delimiter>
<change>
<condition value="reset_all_field_search">
<unset token="search"></unset>
<set token="search">*</set>
<unset token="search2"></unset>
<set token="search2">*</set>
<unset token="search12"></unset>
<set token="search12">*</set>
<unset token="field4"></unset>
<set token="field4">*</set>
<unset token="field5"></unset>
<set token="field5">*</set>
</condition>
</change>
</input>
please help me to fix this. Thanks!
... View more
11-04-2024
10:23 PM
Hello @zksvc , Thanks again! I'm facing error in this line "unbalanced quotes" | eval lengths = mvmap(code_list, len(trim('code_list', '"'))) So ihave modified this as | eval lengths = mvmap(code_list, len(trim('code_list', "\""))) though eval is not accepting "*" as a token value in code. Thanks!
... View more
11-04-2024
07:25 PM
Hello @zksvc , Thanks for your prompt response and Thanks for your time! It works but my token value will be enclosed with ("token_value"), Lets say token and results can be Token Result Reason ("*") value_1 Since the length of "*" is 1, we need pass value1 ( "abc") value_2 Since the length of "abc" is 3, we need pass value2 ("ajd","abc","sd") value_2 Since the length of "ajd" is 3, we need pass value2 The purpose of this is, My use case is to find wheather the token consists of "*" in it or not, Since its a inputdropdown of multivalue field, If i use mv commands it only works for multivalues but at some cases we will be getting single value from the input dropdown, So i need a condition to work in both the cases. Thanks!
... View more
11-04-2024
06:59 PM
Hello There, I would like to pass two diffrent values as a token, the search consists of code as a token, where code field can be single values or with multiple values, we need to calculate the length and if the length is equal to 1, then we need pass value_1., if the length is greater than 1, then we need to pass value_2 in a new token, index=03_f123456 sourcetype=logs* (CODE IN ($code$)) | eval x=len($code$) | eval y=if(x=1,"value_1",value_2") |dedup y |table y Thanks in advance!
... View more
- Tags:
- search
10-29-2024
08:58 PM
Hello @ITWhisperer , Hope i have added more information, please let me know if i need to add any other info. Actual need is, I'm having a field where sometimes i will get empty value, When i'm selecting All in input drodown the values can be anything, it can be empty as well but when we choose any specific value in input drodown, we don't need to consider empty values, so I planned to create 2 base searches, one is when we choose all in input drodown, other is when we choose any values apart from All in input drodown, Since when we are choosing any other values in input drodown, we can use | where isnotnull(field_name) | head 10000 which is not needed when we are selecting all in inputdrodown, since the data volume is huge . thanks! thanks!
... View more
10-29-2024
07:39 PM
Hello Splunkers, I'm having a inputput dropdown field, when i'm selecting "*" in that input dropdown field, I need to pass base search 1 to all searches in dashboard, when I'm selecting any other values apart from "*". I need to pass base search 2 to all searches in dashboard.
<form version="1.1">
<label>Clone sample</label>
<search>
<query>
| makeresults
| eval curTime=strftime(now(), "GMT%z")
| eval curTime=substr(curTime,1,6)
|rename curTime as current_time
</query>
<progress>
<set token="time_token_now">$result.current_time$</set>
</progress>
</search>
<search id="base_1">
<query>
index=2343306 sourcetype=logs*
| head 10000
| fields _time index Eventts IT _raw
| fillnull value="N/A"
</query>
<earliest>$time_token.earliest$</earliest>
<latest>$time_token.latest$</latest>
</search>
<search id="base_2">
<query>
index=2343306 sourcetype=logs*
| where isnotnull(CODE)
| head 10000
| fields _time index Eventts IT CODE _raw
| fillnull value="N/A"
</query>
<earliest>$time_token.earliest$</earliest>
<latest>$time_token.latest$</latest>
</search>
<fieldset submitButton="false" autoRun="true">
<input type="radio" token="field1">
<label>field1</label>
<choice value="All">All</choice>
<choice value="M1">M1</choice>
<choice value="A2">A2</choice>
<change>
<eval token="base_token">case("All"="field1", "base_1", "All"!="field1", "base_2")</eval>
</change>
</input>
<input type="time" token="time_token" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<title>table</title>
<search base="$base_token$">
<query>| table *</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
I have tries passing token in input dropdown it dosent work, can you please help me in fixing this issue. Thanks!
... View more
10-29-2024
08:43 AM
Hello @ITWhisperer , I would like to pass based search to panels in dashboard <search id="base_search_1">
<query>
index=$siteid$ sourcetype=log* values IN (Ax01, Ms09)
.....
| table *
</query>
<earliest>$time_token.earliest$</earliest>
<latest>$time_token.latest$</latest>
</search>
<search id="base_search_2">
<query>
index=$siteid$ sourcetype=log* Values IN (*)
.....
| table *
</query>
<earliest>$time_token.earliest$</earliest> I need to pass base_search_1 when a inut drodpown is selected with "All", when other values are selected in the input dropdown, it need to pass base_search_2 to the panel in dashboard. thanks! <latest>$time_token.latest$</latest> </search> the reason why i choose this is, Actually we are having a input dropdown field which may be empty at some time also we are filtering only head 10000 records as per need, So when the input dropdown field is selected with "All" values, we don't have any issues either the field can be with values or can be empty but when the inputdropdown field is having spome field values to be filtered then empty field should not be giving proper results, so instead of head 10000, we need to filter non empty values of 10k, rather than head 10k, also please suggest other possible efiicient way to do this. thanks!
... View more
10-29-2024
03:29 AM
Hello Splunkers, I would like to pass the two base search when input dropdown is set as all, i need to pass a base search, when other values apart from all is selected, it need to pass a diffrent base search. Thanks!
... View more
10-14-2024
09:59 AM
Hello @ITWhisperer , Is that be possible if all the field has only 2 values, that is been repeadily occuring. Also the numeric values can be replaced with text values as well. Thanks!
... View more
10-14-2024
08:32 AM
Hello, I would like to create chart with multiple fields in Y axis and time in x axis, Y axis - FIELD_01 FIELD_02 FIELD_03 FIELD_04 FIELD_05 FIELD_06 (All field values are in strings and numbers as well) x axis - _time Lets say, If the FIELD_01 consists of values Stopped, Started, Stopped, Stopped In y axis it should change its values with some colours. FIELD_06 Field values FIELD_05 Field values FIELD_04 Field value FIELD_03 Field value FIELD_02 Field value FIELD_01 Field value Y axis/ x axis _time Thanks in Advance!
... View more
Labels
- Labels:
-
timechart
09-23-2024
04:26 AM
Hi @yuanliu & @ITWhisperer & @tscroggins & @PickleRick & @dural_yyz , Thanks everyone for your time, it works for me. Thanks in Advance!
... View more
