Dashboards & Visualizations

form not displaying correct number of results

gnovak
Builder

Hello,

I have a form where you can choose a value, a time frame and click Search. The search will run and display a bar graph and table of the results.

The bar graph and table currently are only displaying about a weeks worth of data no matter what time frame you choose. For example, I choose 30 days, I still only get a week graphed and tabled.

However if I click on the "View Results" link under the table or graph, I can see all of the results for the time period specified. Example: Click View Results for 30 days, see 30 days of data graphed and 30 days of data tabled.

How can I get the graph and table to display the right amount of data for the time period I specify on the form? I'm not using timechart and I'm wondering is this the issue? I looked at other forms and some weren't using timechart at all. Here's my code from my form.

    <form>
 <label>OXRSTESTFORM</label>
 <searchTemplate>index=oxrsping sourcetype=OXRSTEST4 hostname=$hostname$ | table _time hostname user_login domain_create domain_check domain_renew domain_transf domain_delete registrar_update registrar_info update_balance user_logout</searchTemplate>  
<earliestTime>-7d</earliestTime>
<latestTime>-0d</latestTime>
 <fieldset>
  <input type="dropdown" token="hostname">
   <label>Select Hostname</label>
      <populatingSearch fieldForValue="hostname" fieldForLabel="hostname">index=oxrsping sourcetype=OXRSTEST4 daysago=15 | fields hostname | dedup hostname
</populatingSearch>
   <choice value="*">Any</choice>
</input>
 <input type="time" />
 </fieldset>

    <row>
       <!-- output the results as a 50 row events table -->
       <chart>
           <title>Results</title>
       <option name="charting.chart">line</option>
       <option name="charting.primaryAxisTitle.text">Date</option>
       <option name="charting.secondaryAxisTitle.text">Response Time (ms)</option>
       </chart>
    </row>

<row>
   <table>
    <title>Results</title>
     <option name="showPager">true</option>
    </table>
  </row>
</form>
Tags (1)
0 Karma
1 Solution

gnovak
Builder

well I sorta answered my own question. timechart was the answer.

I changed my search in the form to this:

index=oxrsping sourcetype=OXRSTEST4 | timechart sum(domain_check) as domain_check sum(domain_create) as domain_create sum(domain_delete) as domain_delete sum(domain_renew) as domain_renew sum(domain_transf) as domain_transf sum(update_balance) as update_balance sum(user_login) as user_login sum(user_logout) as user_logout sum(registrar_update) as registrar_update sum(registrar_info) as registrar_info

I was then able to see results for large spans of time. Now I just need to calculate an average time in MS for each field instead of a sum. Onward!

View solution in original post

0 Karma

gnovak
Builder

well I sorta answered my own question. timechart was the answer.

I changed my search in the form to this:

index=oxrsping sourcetype=OXRSTEST4 | timechart sum(domain_check) as domain_check sum(domain_create) as domain_create sum(domain_delete) as domain_delete sum(domain_renew) as domain_renew sum(domain_transf) as domain_transf sum(update_balance) as update_balance sum(user_login) as user_login sum(user_logout) as user_logout sum(registrar_update) as registrar_update sum(registrar_info) as registrar_info

I was then able to see results for large spans of time. Now I just need to calculate an average time in MS for each field instead of a sum. Onward!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...