Why is the Splunk Web service not running after an upgrade to 6.2? Learn more »
I have a form where you can choose a value, a time frame and click Search. The search will run and display a bar graph and table of the results.
The bar graph and table currently are only displaying about a weeks worth of data no matter what time frame you choose. For example, I choose 30 days, I still only get a week graphed and tabled.
However if I click on the "View Results" link under the table or graph, I can see all of the results for the time period specified. Example: Click View Results for 30 days, see 30 days of data graphed and 30 days of data tabled.
How can I get the graph and table to display the right amount of data for the time period I specify on the form? I'm not using timechart and I'm wondering is this the issue? I looked at other forms and some weren't using timechart at all. Here's my code from my form.
<form> <label>OXRSTESTFORM</label> <searchTemplate>index=oxrsping sourcetype=OXRSTEST4 hostname=$hostname$ | table _time hostname user_login domain_create domain_check domain_renew domain_transf domain_delete registrar_update registrar_info update_balance user_logout</searchTemplate> <earliestTime>-7d</earliestTime> <latestTime>-0d</latestTime> <fieldset> <input type="dropdown" token="hostname"> <label>Select Hostname</label> <populatingSearch fieldForValue="hostname" fieldForLabel="hostname">index=oxrsping sourcetype=OXRSTEST4 daysago=15 | fields hostname | dedup hostname </populatingSearch> <choice value="*">Any</choice> </input> <input type="time" /> </fieldset> <row> <!-- output the results as a 50 row events table --> <chart> <title>Results</title> <option name="charting.chart">line</option> <option name="charting.primaryAxisTitle.text">Date</option> <option name="charting.secondaryAxisTitle.text">Response Time (ms)</option> </chart> </row> <row> <table> <title>Results</title> <option name="showPager">true</option> </table> </row> </form>
well I sorta answered my own question. timechart was the answer.
I changed my search in the form to this:
index=oxrsping sourcetype=OXRSTEST4 | timechart sum(domain_check) as domain_check sum(domain_create) as domain_create sum(domain_delete) as domain_delete sum(domain_renew) as domain_renew sum(domain_transf) as domain_transf sum(update_balance) as update_balance sum(user_login) as user_login sum(user_logout) as user_logout sum(registrar_update) as registrar_update sum(registrar_info) as registrar_info
I was then able to see results for large spans of time. Now I just need to calculate an average time in MS for each field instead of a sum. Onward!
Validate Splunk Form Input 1 Answer