I think I've sorted out query issues:
sourcetype=mytype status=failed | stats count as failedTotal, count(eval('log{}.message!="completed"')) as failedComplete
this seems to work.
Now my problem is that I'm not sure what to do about the search handler:
"finalized" is not listed in docs: https://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/EventHandlerReference#Search_event_handlers
your sample shows "query" tag, but that is already filled. Am I supposed to just append that tag's content to whatever my current "query" tag contains?
is there a full source of the panel using method you describe? That would probably answer most of above points.
... View more