Do you mean we can't use JS to customize dashboards created in Splunk dashboard studio? ... View more

Without using JavaScript, it works as expected but I need to use JavaScript.  I’m just assuming that due to the earliest and latest variables defined in JavaScript, the init block is not working for me. Is there a way to solve this issue?    ... View more

@ITWhisperer  I below eval statement in init block didn't work. <init> <eval token="latest_Time">relative_time(now(), "+1d")</eval> </init>  I am using Javascript and there I have created two variables for earliest & latest time.     var earliestTime = defaultTokens.get("time.earliest");     var latestTime = defaultTokens.get("time.latest");   Do I need to use these variables in the Splunk dashboard in order to get the desired results? Once again, the problem statement is that I have to add +1d to the latest time selected in the time token. ... View more

<form version="1.1"> <label>My dashboard</label> <fieldset submitButton="false"></fieldset> <row id="mainFilterRow" depends="$showHidePanel$"> <panel id="mainFilterPanel1"> <input type="time" token="time"> <label>DateTime</label> <default> <earliest>@d</earliest> <latest>now</latest> </default> </input> </panel> <panel id="mainFilterPanel21"> <input type="dropdown" token="TimeDrop"> <label>TimeDrop</label> <choice value="+1d">1d</choice> <choice value="+2d">2d</choice> <choice value="+5d">5d</choice> <default>1d</default> <change> <eval token="latest_Time">relative_time($time.latest$, $TimeDrop$)</eval> </change> </input> </panel> </row> <row id="chartRow" depends="$showHidePanel$"> <panel> <search> <query>index=main | stats count by host</query> <earliest>$time.earliest$</earliest> <latest>$latest_Time$</latest> </search> </panel> </row> </form> ... View more

The statement is not working.    According to the above selection made, the earliest time should be 5/8/2024 05:00:00 & latest time should be 5/9/2024 06:00:00 (because the time span selected is +1d) but it is not working despite of using the below eval statement.  <eval token="latest_Time">relative_time($time.latest$, $timedrop$)</eval> Results:     ... View more

@ITWhisperer I've removed the option Now from the dropdown, what should be the new eval statement instead of <eval token="latest_Time">if(isnull('timedrop') or 'timedrop'="now",now(),relative_time(if($time.latest$="now",now(),$time.latest$), $timedrop$))</eval> ? ... View more

@apietsch I want to onboard a SaaS application data to Splunk. What is the process? I think first would be to integrate the SaaS application add on with Splunk. That's the integration I'm talking about. ... View more

I've already given all the details & mentioned earlier that I used your method.  To be specific, I used this below mentioned statement in the "timedrop" dropdown change section. But still getting Nan error <panel id="pqr"> <input type="time" token="time"> <label>DateTime</label> <default> <earliest>@d</earliest> <latest>now</latest> </default> </input> </panel> <panel id="abc"> <input type="dropdown" token="timedrop"> <label>Time Dropdown</label> <choice value="now">Now</choice> <choice value="+3d">3d</choice> <choice value="+4d">4d</choice> <choice value="+5d">5d</choice> <default>now</default> <change> <eval token="latest_Time">if(isnull('timedrop') or 'timedrop'="now",now(),relative_time(if($time.latest$="now",now(),$time.latest$), $timedrop$))</eval></change> </input> </panel> ... View more

Tried this method but for some reason I still see the same error.    ... View more

I’m expecting 0 results because the 1000 events in the left query are a subset of the 2000 events in the right query.  But in real I’m getting 1000 events on using left join which seems incorrect.  ... View more

@ITWhisperernot expect it to remove any events mean that I should be able to see 1000 results after loading the query or (0 results) no results because the events are matching perfectly.  ... View more

@richgalloway @ITWhisperer Here's the query: (index=app* (app=Application source="abc" "eventName=what is your name" *className IN (first*,second*,third*,fouth*)) OR (app=Application1 sourcetype="music:pqr" source="music/pqr.log" "Random raw msf" "status=COMPLETED" *className IN (first*,second*,third*,fouth*)) OR (source="xyz/eventmanagement/eventmanagement.log" "messages from _raw" name=my_amazon_order OR name=my_shiprocket_order *className IN (first*,second*,third*,fouth*))) OR (app=Application2 "raw message" source="aaa/orderdetailsave/orderdetailsave.log" **className IN (first*,second*,third*,fouth*)) earliest=$time.earliest$ latest=$time.latest$ | dedup field1 | eval component="FirstComp" | join field1 type=outer [ search index=index1 index1=main sourcetype="log4j:*" source="/var/log/*/random.log" host="host1*" | dedup field1 | eval component= "secondcomp" | eval field2=field1 ] | where isnull(field2) | table field1 The problem statement is that Fist component has 1000 events whereas second component has 2000 events. While using inner join, both the components have 1000 common events. While using left join, the result should be 0 but I'm getting those 1000 events which are visible while using inner join. Also, query structure needs to be the same due to some prior JS changes.  ... View more

Thanks @ITWhisperer for the prompt reply.  I don’t understand how a csv file would be generated on the click of a submit button in a dashboard. Can you please elaborate more.   the user selections would be 1. Time range and click submit.  the panel will show the results for a query which runs for the selected time range.  now the question is how can I export it to a csv automatically. And later on use this csv for different visualisation in a dashboard panel ... View more

@marnall @Not really, it’s like if I’m running the search for last 24 hrs, I’d like to see the data for now()+1d.  ... View more

Thanks @ITWhisperer .  [^\"] worked for me. ... View more

You're right @ITWhisperer, I can't change the time from what was used in the base search which brings me to my second question. How can I add a drilldown to the same panel with a different timestamp? I want to expand the bar chart for a particular time to a drilldown containing more detailed information for that selected time frame. ... View more