Drop Down Menu with Time

gnovak · ‎12-21-2010

Hi,

I'm trying to add a drop down menu to a chart I have created on my dashboard but I can't seem to get it to work. The code for the chart on my dashboard is:

<label>Balance Email Summary - Last 24 Hours</label>
<row>    
<chart>
  <title>Total Emails For All Registries</title>
  <searchName>balance_email_sent_and_tosend</searchName>
 <option name="charting.chart">column</option>
<option name="charting.primaryAxisTitle.text">Date</option>
<option name="charting.secondaryAxisTitle.text">Number of Emails</option>
 <option name="charting.chart.useAbsoluteSpacing">true</option>
 <option name="charting.chart.columnSpacing">5</option>
 <option name="charting.legend.placement">top</option>
</chart>

I'd like to add a drop down menu to this so that users can select the time span they would like for the search.

The code I have for the drop down menu is:

<input type="time"/>    
<input type="dropdown" token="timeSpan">
<label>Time span for charts</label>
<default>span=4h</default>
<choice value="span=5m">5 Minute</choice>
<choice value="span=10m">10 Minutes</choice>
<choice value="span=1h">1 hour</choice>
<choice value="span=4h">4 hours</choice>
<choice value="span=24h">24 hours</choice>
<choice value="span=7d">7 days</choice>
<choice value="rt">Real-time</choice>
</input>

I've tried inserting this before row and after row but I still can't seem to get it to show up or work. Is there something anyone notices out of the ordinary that I could be missing?

gnovak · ‎12-29-2010

This actually works if I make a new "view" or dashboard and put this code in it. However I am having issues trying to incorporate this code with my current dashboard. At some point the view shows up as "None" in the views menu and when I click it I get an error.

I'm still looking into this but not sure why it's doing this.

gnovak · ‎12-29-2010

I had to take out from the top of the code and from the bottom of the code.

mzax · ‎12-28-2010

This is the xml that adds the time drop down menu and execute the new search when changed:

<form>
<label>FOO</label>
<title>Total Emails For All Registries</title>
<fieldset autoRun="true" submitButton="false">
    <input type="time" searchWhenChanged="true" />
    <default>Last 24 hours</default>
</fieldset>
<row>
    <chart>
        <title>Matching events</title>
        <searchTemplate><![CDATA[ sourcetype="cron_BalanceEmail" (source="*asia*" OR source="*info*" OR source="*org*") BalanceEmail sent | rex field=_raw "\[BalanceEmail\] ?(?<TotalEmailsSent>[\d]+) of (?<TotalEmailsToSend>[\d]+) of email notification sent\." | search TotalEmailsToSend="*" OR TotalEmailsSent="*" | timechart sum(TotalEmailsToSend) as TotalEmailsToSend sum(TotalEmailsSent) as TotalEmailsSent ]]></searchTemplate>
        <option name="charting.chart">column</option>
        <option name="charting.primaryAxisTitle.text">Date</option>
        <option name="charting.secondaryAxisTitle.text">Number of Emails</option>
        <option name="charting.chart.useAbsoluteSpacing">true</option>
        <option name="charting.chart.columnSpacing">5</option>
        <option name="charting.legend.placement">top</option>
  <module name="TimeRangePicker">
  <param name="selected">All time</param>
  <param name="searchWhenChanged">True</param>
   </module>
</chart>

sideview · ‎12-21-2010

The simplified XML uses the stringreplace intention, and the stringreplace intention is unique in that you have to specify in the search string where exactly the $timeSpan$ token should be inserted.

So in light of that, one thing to try is changing your search to

sourcetype="cron_BalanceEmail" (source="*asia*" OR source="*info*" OR source="*org*") starthoursago="120" BalanceEmail sent | rex field=_raw "\[BalanceEmail\] ?(?<TotalEmailsSent>[\d]+) of (?<TotalEmailsToSend>[\d]+) of email notification sent\." | search TotalEmailsToSend="*" OR TotalEmailsSent="*" | timechart $timeSpan$ sum(TotalEmailsToSend) as TotalEmailsToSend sum(TotalEmailsSent) as TotalEmailsSent

(Note the $timeSpan$ token now living in the timechart clause)

An obvious problem with the stringreplace intention here is of course that the saved search will not function correctly outside of this one custom view. The $timeSpan$ argument will not get replaced when the search is run straight from the menu so it'll throw a search language syntax error. What you have to do then if you want that saved search to be both visible and functional, is to specify the search inline with <search> instead of <searchName> or use a different saved search that is configured with is_visible=False.

sideview · ‎12-27-2010

And by 'use a different saved search that is configured with is_visible=False', Im just pointing out that if you need it to be a saved search for some reason, it'll have the $foo$ tokens in it. This means when people go and run the search from the saved search menu it wont work cause those $foo$ tokens will be searched on as literals. So you can have two copies of the saved search, and have the $foo$ one marked with is_visible=false such that it doesnt appear in the menu. hth

sideview · ‎12-27-2010

You dont need a $foo$ token for the timeRange - it is handled in parallel with the search and as such does not appear in the search string. And it should work fine in the simplified XML to have both pulldowns but it's a pita to debug the simplified XML so I do recommend switching to the advanced XML. In the long run people find it easier to understand and deal with.

And the token names themselves like '$timeSpan$' are meaningless - you can call it $monkey$ if you like.

gnovak · ‎12-22-2010

I'm starting to wonder: do i have to make this entire dashboard advanced XML now to be able to add a drop down menu where the user can select the timerange for the search results?

gnovak · ‎12-22-2010

Also keep in mind that code for the drop down I "borrowed" from another example so the $timespan$ token i am not sure is relevant to the search or not. I was trying to find more data on what exactly to specify for a token but that info is sometimes hard to find.

gnovak · ‎12-22-2010

When you say "use a different saved search that is configured with is_visible=False." what do you mean? Can you explain?

gnovak · ‎12-22-2010

I tried putting this search directly in the dashboard xml but it threw an error. I had sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent | rex field=_raw "[BalanceEmail] ?(?[\d]+) of (?[\d]+) of email notification sent." | search TotalEmailsToSend="" OR TotalEmailsSent="" | timechart $timeSpan$ sum(TotalEmailsToSend) as TotalEmailsToSend sum(TotalEmailsSent) as TotalEmailsSent and it did not work. Also where do I put the code for the drop down?

gnovak · ‎12-21-2010

I will try using the inline search and see if this works.

gnovak · ‎12-21-2010

Also here is the search as well: sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent | rex field=_raw "[BalanceEmail] ?(?[\d]+) of (?[\d]+) of email notification sent." | search TotalEmailsToSend="" OR TotalEmailsSent=""
| timechart sum(TotalEmailsToSend) as TotalEmailsToSend sum(TotalEmailsSent) as TotalEmailsSent

Drop Down Menu with Time

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms