Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Create filter with month names in the dashboard

antonio147
Communicator
‎11-09-2021 11:38 PM

Hi all,
i created a report, now i need to create a dashboard that takes data from this report with loadjob savedsearch.
the report has as the name of the fields 1_month_previous, 2_month_previous, ......(I could not rename the names of the months in the command stats sum (DIM) as 1_month_previous, I also followed a post here in the community)
I would like to create a filter in the dashboard with the names of the months instead of the previous_month.
I tried with this code:
<query> | makeresults
| eval MPR0 = strftime (relative_time (now (), "-0month @ month"), "% B")
| eval MPR1 = strftime (relative_time (now (), "-1month @ month"), "% B")
| eval MPR2 = strftime (relative_time (now (), "-2month @ month"), "% B")
| eval MPR3 = strftime (relative_time (now (), "-3month @ month"), "% B")
| eval MPR4 = strftime (relative_time (now (), "-4month @ month"), "% B")
| eval MPR5 = strftime (relative_time (now (), "-5month @ month"), "% B")
| eval MPR6 = strftime (relative_time (now (), "-6month @ month"), "% B")
| eval MPR7 = strftime (relative_time (now (), "-7month @ month"), "% B")
| eval MPR8 = strftime (relative_time (now (), "-8month @ month"), "% B")
| eval MPR9 = strftime (relative_time (now (), "-9month @ month"), "% B")
| eval MPR10 = strftime (relative_time (now (), "-10month @ month"), "% B")
| eval MPR11 = strftime (relative_time (now (), "-11month @ month"), "% B")

| eval MONTH = mvappend (MPR0, MPR1, MPR2, MPR3, MPR4, MPR5, MPR6, MPR7, MPR8, MPR9, MPR10, MPR11)
| table MONTH </query>
but in Dinamic Option -> Search String by inserting this code, it returns me the names of the months separated by commas, all on a single row and not in a column to let me choose the month I need.
Do you have any suggestions?

I have tried mv append, split, delim, etc .. to no avail.
I ask for help from you Splunk gurus.
Tks
BR
Antonio

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-10-2021 12:05 AM

Here's a way that works  in SimpleXML - hopefully you can translate to Dashboard Studio

    <input type="dropdown" token="previousmonth">
      <label>Past 12 months</label>
      <search>
        <query>| makeresults
| eval month=mvrange(1, 13)
| mvexpand month
| eval month=0-month
| eval _time=relative_time(_time,month."mon@mon")
| eval month=strftime(_time,"%B")
| table month</query>
      </search>
      <fieldForLabel>month</fieldForLabel>
      <fieldForValue>month</fieldForValue>
    </input>

View solution in original post

Reply
Solved! Jump to solution

antonio147
Communicator
‎11-10-2021 12:14 AM

Hi ITWhisperer,
thanks for the quick response.
I tried your code and it works.
I found another suggestion from you regarding this request that worked just the same.
Now, however, I would like the current month (now: November) to be in first place and the previous month immediately below, and so on .....
Also since I have the 1_month_previous field in the original report I have to take those values in that field.
I thought about transforming the name of the month into its value and adding the _precedent_month suffix so as to have the field written.
Do you think it is the optimal solution or is there something better? 🙂
In any case, thanks for your invaluable help and suggestion.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-10-2021 12:29 AM 
    <input type="dropdown" token="previousmonth">
      <label>Past 12 months</label>
      <search>
        <query>| makeresults
| eval mon=mvrange(1, 13)
| mvexpand mon
| eval mon=mon-1
| eval month=if(mon>0,(0-mon)."mon","")
| eval fieldname=if(mon>0,mon."_month_previous","now")
| eval _time=relative_time(_time,month."@mon")
| eval month=strftime(_time,"%B")
| table month fieldname</query>
      </search>
      <fieldForLabel>month</fieldForLabel>
      <fieldForValue>fieldname</fieldForValue>
    </input>
Reply
Solved! Jump to solution

antonio147
Communicator
‎11-10-2021 12:57 AM

IT Whisperer, you are great !!!!
Thank you so much, in 2 minutes you solved a problem that I had not been able to overcome for days.
You're great !!!
Tks

 

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-10-2021 12:05 AM

Here's a way that works  in SimpleXML - hopefully you can translate to Dashboard Studio

    <input type="dropdown" token="previousmonth">
      <label>Past 12 months</label>
      <search>
        <query>| makeresults
| eval month=mvrange(1, 13)
| mvexpand month
| eval month=0-month
| eval _time=relative_time(_time,month."mon@mon")
| eval month=strftime(_time,"%B")
| table month</query>
      </search>
      <fieldForLabel>month</fieldForLabel>
      <fieldForValue>month</fieldForValue>
    </input>
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...