Hi Community!
I'm trying to create a form search, in which the user should:
1.) Choose a time range in which he suggests the Events
2.) Select a host on which he will see the Events
3.) Select the desired Event
Here in the 3rd step, I have the Problem. The user should see a formatted timestamp (Event1_tok) for this one Event and then it should be passed into the original search, but it seems because the timestamp is formated, the search fail.
How can I pass the correct timeformat to the search, that I only get this one Event?
<form>
<label>Review Config Changes Testing</label>
<description>Specify TimeRange in which the events are suggested. Then define HostName and Events to compare.</description>
<fieldset autoRun="false">
<input type="time" token="TimeRange_tok">
<label>Select a Time Range</label>
<default>
<earliestTime>-15m</earliestTime>
<latestTime>now</latestTime>
</default>
</input>
<input type="dropdown" token="HostName_tok">
<label>Select a HostName</label>
<search>
<query>index=xkm sourcetype=xkmconfig earliest=$TimeRange_tok.earliest$ latest=$TimeRange_tok.latest$ | stats count by host </query>
</search>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
</input>
<input type="dropdown" token="Event1_tok">
<label>Select first Event</label>
<search>
<query>index=xkm sourcetype=xkmconfig host=$HostName_tok$ earliest=$TimeRange_tok.earliest$ latest=$TimeRange_tok.latest$ | eval EventTime1=strftime(_time, "%d.%m.%Y %H:%M:%S") | stats count by EventTime1 </query>
</search>
<fieldForLabel>EventTime1</fieldForLabel>
<fieldForValue>_time</fieldForValue>
</input>
</fieldset>
<row>
<panel>
<event>
<search>
<query>index=xkm sourcetype=xkmconfig host=$HostName_tok$ earliest=$Event1_tok$ latest=$Event1_tok$ </query>
<!--earliestTime>$ TimeRange_tok.earliest$</earliestTime>
<latestTime>$ TimeRange_tok.latest$</latestTime-->
</search>
</event>
</panel>
</row>
</form>
Thank you for your help!
Robert
Replace your Event1_tok input definition with this.
<input type="dropdown" token="Event1_tok">
<label>Select first Event</label>
<search>
<query>index=xkm sourcetype=xkmconfig host=$HostName_tok$ earliest=$TimeRange_tok.earliest$ latest=$TimeRange_tok.latest$ | eval EventTime1=strftime(_time, "%d.%m.%Y %H:%M:%S") | stats count by EventTime1,_time </query>
</search>
<fieldForLabel>EventTime1</fieldForLabel>
<fieldForValue>_time</fieldForValue>
</input>
</fieldset>
Replace your Event1_tok input definition with this.
<input type="dropdown" token="Event1_tok">
<label>Select first Event</label>
<search>
<query>index=xkm sourcetype=xkmconfig host=$HostName_tok$ earliest=$TimeRange_tok.earliest$ latest=$TimeRange_tok.latest$ | eval EventTime1=strftime(_time, "%d.%m.%Y %H:%M:%S") | stats count by EventTime1,_time </query>
</search>
<fieldForLabel>EventTime1</fieldForLabel>
<fieldForValue>_time</fieldForValue>
</input>
</fieldset>
Thanks,that works! Regards Robert