Dashboards & Visualizations

Splunk dashboard

Als123
Explorer

My requirement is like I need to create two panels in my dashboard.

First Panel: When I am choosing last 15 min means I need to get the values from 10 am to 10.15am for today's date(for example).

Second Panel: In second Panel I need to get the data from 10am to 10.15 am for yesterday's date.

 

It should be like comparison between today's data vs yesterday's data.please help me how to frame query for second Panel?

Labels (1)
0 Karma
1 Solution

gcusello
Legend

Hi @Als123,

sorry:a typing error, please try this:

index=xyz [ search index=_internal | head 1 | addinfo | eval earliest=info_min_time-86400, latest=info_max_time-86400 | fields earliest latest ] 
| timechart span=5m count by specification

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
Legend

Hi @Als123,

you have to put in your dashboard the Time Picker setted e.g to the last 15 minutes.

In the first panel, you take the value from the Time Picker as it is.

In the second panel you use a search like this (if the Time Picket token is called e.g. "Time"):

your_search [ | makeresults | eval earliest=relative_time($Time.earliest$,"-1d"), latest=relative_time($Time.latest$,"-1d") | fields earliest latest ]
| ...

Ciao.

Giuseppe

 

0 Karma

Als123
Explorer

@gcusello ,

I am getting Error in 'eval' command:The expression is malformed.Expected ).

0 Karma

gcusello
Legend

Hi @Als123,

the search seems to be correct!

could you share your search?

Ciao.

Giuseppe

0 Karma

Als123
Explorer

Hi @gcusello ,

I gave my query like this .

<query>index=xyz |makeresults|eval earliest=relative_time($field1.earliest$,"-1d"),latest=relative_time($field1.latest$,"-1d")|fields earliest latest|timechart span =5m count by specification </query>

 

My token name is field1

0 Karma

gcusello
Legend

Hi @Als123,

it isn't correct: the square parenthesys of the subsearch are missing

<query>
     index=xyz [ | makeresults | eval earliest=relative_time($field1.earliest$,"-1d"), latest=relative_time($field1.latest$,"-1d") | fields earliest latest ]
     | timechart span =5m count by specification 
</query>

In few words, you use a subsearch to calculate the new variables earliest and latest.

One hint: give always a name to the tokens, don't leave $field1$.

Ciao.

Giuseppe

0 Karma

Als123
Explorer

Hi @gcusello ,

I have used the query u mentioned. But again I am getting "Erroe in 'eval' command.The expression is malformed.Expected)" error in my panel.

0 Karma

Als123
Explorer

Hi Team,

If I am modifying the query like this ("$field1.earliest$"), I am not getting eval error but I am not getting any search results.

<query> index=xyz [ | makeresults | eval earliest=relative_time("$field1.earliest$","-1d"), latest=relative_time("$field1.latest$","-1d") | fields earliest latest ] | timechart span =5m count by specification </query

Please help on this.

0 Karma

gcusello
Legend

Hi @Als123,

please try this:

index=xyz [ search index=_internal ! head 1 | addinfo | eval earliest=info_min_time-86400, latest=info_max_time-86400 | fields earliest latest ] 
| timechart span =5m count by specification

Ciao.

Giuseppe

0 Karma

Als123
Explorer

Hi @gcusello ,

I am getting No results found for above query. 

0 Karma

gcusello
Legend

Hi @Als123,

sorry:a typing error, please try this:

index=xyz [ search index=_internal | head 1 | addinfo | eval earliest=info_min_time-86400, latest=info_max_time-86400 | fields earliest latest ] 
| timechart span=5m count by specification

Ciao.

Giuseppe

0 Karma

Als123
Explorer

Hi @gcusello ,

I have tried like this before also .In this case also I got No results found only.

0 Karma

gcusello
Legend

@Als123,

are you sure to have events in the yesterday time range?

I tried this search on _internal in my Splunk and it runs.

Ciao.

Giuseppe

0 Karma

Als123
Explorer

Hi @gcusello ,

Yeah in yesterday's time range result is there . But don't know why I am getting no results.I have used the same query as you mentioned.

0 Karma

gcusello
Legend

Hi @Als123,

at first check the search using _internal, so you'r sure that the search is correct.

index=_internal [ search index=_internal | head 1 | addinfo | eval earliest=info_min_time-86400, latest=info_max_time-86400 | fields earliest latest ] 
| timechart span=5m count

Then separately run each search

index=_internal | head 1 | addinfo | eval earliest=info_min_time-86400, latest=info_max_time-86400 | fields earliest latest 

and then using the yesterday time frame

index=xyz 
| timechart span=5m count by specification

Then if you have results in both the searches, try:

index=xyz [ search index=_internal | head 1 | addinfo | eval earliest=info_min_time-86400, latest=info_max_time-86400 | fields earliest latest ] 

So you can see where's the problem .

Ciao.

Giuseppe

P.S.: tell me if I can help you more, otherwise, Karma Points are appreciated 😉

Als123
Explorer

Hi @gcusello 

Now it is working fine for me.Thank you so much for your help.

0 Karma

Als123
Explorer

Hi @gcusello ,

Thank you for your help. I am having another one question. 

In panel 1, I am having two graphs (Success and Failure) for present date.

In panel 2, I am having two graphs (Success and Failure) for yesterday's date.

I need all 4 graphs (panel 1 and panel 2) in a single graph. With yesterday and today named in X or Y axis. Please help on this .

 

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...