I have a drilldown into another dashboard with parameters earliest=$earliest$ and latest=$latest$, this works. When I go into the drilldown dashboard directly it sets the data to come back as "all time".  Is there a way that I can have multiple defaults or some other constrain that doesn't cause this? Here's what I've been working on but it's not working. Any feedback would be helpful... <input type="time" token="t_time"> <default> <earliest>if(isnull($url.earliest$), "-15m@m", $url.earliest$)</earliest> <latest>if(isnull($url.latest$), "now", $url.latest$)</latest> </default> </input> ... View more

I have created a dashboard in dashboard studio. I have a table visualization, see my code below.  So, the "Time" column auto sets my | bin to one minute. When I update my timepicker to say the last 7 days it still shows the time |bin as one minute.  How can I dynamically change the |bin to best fit my timepicker selection?   | search cat IN ($t_endpoint$) AND Car IN ($t_car$) | eval Time=strftime(_time,"%Y-%m-%d-%I:%M %p") | stats limit=15 sum(Numbercat) as Numbercat, avg(catTime) as AvgcatSecs by Time, Car, cat     ... View more

I have the below code. I know that values exist under the subsearch which are not returning when I run the below query. However, when I uncomment the "where clause" in the sub search the values appear. I don't know what I have done incorrectly for my results to not show. I've also commented out the |search and it still doesn't show that these values exist in the subsearch.  Any help would be appreciated.  index=customer name IN (gate-green, gate-blue) msg="*First time: *" | rex field=msg "First time: (?<UserId>\d+)" | eval FirstRequest = 1 | join type=left UserId [search index=customer name IN (cust-blue, cust-green) msg="*COMPLETED *" | rex field=msg "Message\|[^\t\{]*(?<json>{[^\t]+})" | spath input=json path=infoId output=UserId | eval Completed = 1 ```| where UserId IN (125,999,418,208)```] | table UserId, Completed | search UserId IN (125,999,418,208)   ... View more

Hello, I have the below code. I'm trying to create a new column that extracts and pivots CareCnts, CoverCnts, NonCoverCnts, etc... (There are more but I have simplified). These |eval are related to their corresponding `| evals`.  New Columns = ResourceCounts How would one accomplish this?  index=red msg="*COMPLETED Red*" | spath output=logMessage path=msg | eval Care=spath(json, "Info.Care.elapsedTime") | eval CareCnts=spath(json, "Info.Care.Redcount") | eval Cover=spath(json, "Info.Cover.elapsedTime") | eval CoverCnts=spath(json, "Info.Cover.Redcount") | eval NonCover=spath(json, "Info.NonCover.elapsedTime") | eval NonCoverCnts=spath(json, "Info.NonCover.Redcount") | eval Category = "Red" | table _time, Care, Cover, NonCover, Category | eval SysTime = Category + ":" + _time | fields - Category | untable SysTime Resource CurValue | eval Category = mvindex(split(SysTime, ":"), 0) | eval _time = mvindex(split(SysTime, ":"), 1) | fields - SysTime | table _time, Resource, CurValue, Category Example output: _time Resource CurValue Category *NewColumn 2023-11-06 Care 14.20 Red 10 2023-11-06  Cover 3.4 Red 3 2023-11-06  NonCover 5.5 Red 8   ... View more

I have the below Trellis, is there a way to change the color for each Trellis? My code from Classic Dashboard.    search Cu $t_c$ En $t_e$ | timechart span=1h avg(Value) as AvgValue_Secs by Category     I want something like this:   ... View more