- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Create filter with month names in the dashboard
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
i created a report, now i need to create a dashboard that takes data from this report with loadjob savedsearch.
the report has as the name of the fields 1_month_previous, 2_month_previous, ......(I could not rename the names of the months in the command stats sum (DIM) as 1_month_previous, I also followed a post here in the community)
I would like to create a filter in the dashboard with the names of the months instead of the previous_month.
I tried with this code:
<query> | makeresults
| eval MPR0 = strftime (relative_time (now (), "-0month @ month"), "% B")
| eval MPR1 = strftime (relative_time (now (), "-1month @ month"), "% B")
| eval MPR2 = strftime (relative_time (now (), "-2month @ month"), "% B")
| eval MPR3 = strftime (relative_time (now (), "-3month @ month"), "% B")
| eval MPR4 = strftime (relative_time (now (), "-4month @ month"), "% B")
| eval MPR5 = strftime (relative_time (now (), "-5month @ month"), "% B")
| eval MPR6 = strftime (relative_time (now (), "-6month @ month"), "% B")
| eval MPR7 = strftime (relative_time (now (), "-7month @ month"), "% B")
| eval MPR8 = strftime (relative_time (now (), "-8month @ month"), "% B")
| eval MPR9 = strftime (relative_time (now (), "-9month @ month"), "% B")
| eval MPR10 = strftime (relative_time (now (), "-10month @ month"), "% B")
| eval MPR11 = strftime (relative_time (now (), "-11month @ month"), "% B")
| eval MONTH = mvappend (MPR0, MPR1, MPR2, MPR3, MPR4, MPR5, MPR6, MPR7, MPR8, MPR9, MPR10, MPR11)
| table MONTH </query>
but in Dinamic Option -> Search String by inserting this code, it returns me the names of the months separated by commas, all on a single row and not in a column to let me choose the month I need.
Do you have any suggestions?
I have tried mv append, split, delim, etc .. to no avail.
I ask for help from you Splunk gurus.
Tks
BR
Antonio
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's a way that works in SimpleXML - hopefully you can translate to Dashboard Studio
<input type="dropdown" token="previousmonth">
<label>Past 12 months</label>
<search>
<query>| makeresults
| eval month=mvrange(1, 13)
| mvexpand month
| eval month=0-month
| eval _time=relative_time(_time,month."mon@mon")
| eval month=strftime(_time,"%B")
| table month</query>
</search>
<fieldForLabel>month</fieldForLabel>
<fieldForValue>month</fieldForValue>
</input>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ITWhisperer,
thanks for the quick response.
I tried your code and it works.
I found another suggestion from you regarding this request that worked just the same.
Now, however, I would like the current month (now: November) to be in first place and the previous month immediately below, and so on .....
Also since I have the 1_month_previous field in the original report I have to take those values in that field.
I thought about transforming the name of the month into its value and adding the _precedent_month suffix so as to have the field written.
Do you think it is the optimal solution or is there something better? 🙂
In any case, thanks for your invaluable help and suggestion.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
<input type="dropdown" token="previousmonth">
<label>Past 12 months</label>
<search>
<query>| makeresults
| eval mon=mvrange(1, 13)
| mvexpand mon
| eval mon=mon-1
| eval month=if(mon>0,(0-mon)."mon","")
| eval fieldname=if(mon>0,mon."_month_previous","now")
| eval _time=relative_time(_time,month."@mon")
| eval month=strftime(_time,"%B")
| table month fieldname</query>
</search>
<fieldForLabel>month</fieldForLabel>
<fieldForValue>fieldname</fieldForValue>
</input>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IT Whisperer, you are great !!!!
Thank you so much, in 2 minutes you solved a problem that I had not been able to overcome for days.
You're great !!!
Tks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's a way that works in SimpleXML - hopefully you can translate to Dashboard Studio
<input type="dropdown" token="previousmonth">
<label>Past 12 months</label>
<search>
<query>| makeresults
| eval month=mvrange(1, 13)
| mvexpand month
| eval month=0-month
| eval _time=relative_time(_time,month."mon@mon")
| eval month=strftime(_time,"%B")
| table month</query>
</search>
<fieldForLabel>month</fieldForLabel>
<fieldForValue>month</fieldForValue>
</input>
Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea
Investigate Security and Threat Detection with VirusTotal and Splunk Integration
Observability Highlights | January 2023 Newsletter
