I am Trying to build a Dashboard based on the below search with a drop down picker for time span and a drop down Button for sourcetype. When I ran the search without the pickers it runs great I get multiple actions log in, log out, and Null to name a few. But When I use the search with time pickers the only action column I get is null. I have checked answers and the docs but I am unable to figure out why the other columns are not showing up when I use the picker/tokens in the search.
Base Search:
sourcetype="YYY_XXX"
|timechart span=15m count by Action limit=0
Dashboard search with Tokens:
?CU?
|timechart $Span$ count by Action limit=0
Dashborad XML
@tnoelOTS, I think you meant $CU$
in your code not ?CU?
. Nevertheless, only if correct field name Action
is not picked up by any sourcetype the timechart command would show NULL field alone.
Following is a run anywhere dashboard based on three sourcetypes from Splunk's _internal
index i.e. splunkd_access, splunkd_ui_access, splunk_web_access
with common field called method
available in all three.
I have just added default
values for CU
and Span
dropdown and added a Time Picker. PS: default value of space in Span implies Splunk will pick up span based on selected timerange.
<form>
<label>Dashboard with tokens</label>
<fieldset submitButton="false" autoRun="false">
<input type="dropdown" token="CU" searchWhenChanged="true">
<label>Credit Union</label>
<choice value="*">all</choice>
<choice value="splunkd">Splunk</choice>
<choice value="splunkd_ui">Splunkd UI</choice>
<choice value="splunk_web">Splunkd Web</choice>
<suffix>_access"</suffix>
<prefix>sourcetype="</prefix>
<default>*</default>
</input>
<input type="time" token="tokTime" searchWhenChanged="true">
<label>Time</label>
<default>
<earliest>-4h@m</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="Span" searchWhenChanged="true">
<label>Span</label>
<choice value=" ">Default</choice>
<choice value="span=1m">1 min</choice>
<choice value="span=5m">5 min</choice>
<choice value="span=10m">10 min</choice>
<choice value="span=20m">20 min</choice>
<choice value="span=1h">1 hour</choice>
<choice value="span=2h">2 hour</choice>
<default> </default>
</input>
</fieldset>
<row>
<panel>
<chart>
<search>
<query>index=_internal $CU$
| timechart $Span$ count by method</query>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
</form>
@tnoelOTS, I think you meant $CU$
in your code not ?CU?
. Nevertheless, only if correct field name Action
is not picked up by any sourcetype the timechart command would show NULL field alone.
Following is a run anywhere dashboard based on three sourcetypes from Splunk's _internal
index i.e. splunkd_access, splunkd_ui_access, splunk_web_access
with common field called method
available in all three.
I have just added default
values for CU
and Span
dropdown and added a Time Picker. PS: default value of space in Span implies Splunk will pick up span based on selected timerange.
<form>
<label>Dashboard with tokens</label>
<fieldset submitButton="false" autoRun="false">
<input type="dropdown" token="CU" searchWhenChanged="true">
<label>Credit Union</label>
<choice value="*">all</choice>
<choice value="splunkd">Splunk</choice>
<choice value="splunkd_ui">Splunkd UI</choice>
<choice value="splunk_web">Splunkd Web</choice>
<suffix>_access"</suffix>
<prefix>sourcetype="</prefix>
<default>*</default>
</input>
<input type="time" token="tokTime" searchWhenChanged="true">
<label>Time</label>
<default>
<earliest>-4h@m</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="Span" searchWhenChanged="true">
<label>Span</label>
<choice value=" ">Default</choice>
<choice value="span=1m">1 min</choice>
<choice value="span=5m">5 min</choice>
<choice value="span=10m">10 min</choice>
<choice value="span=20m">20 min</choice>
<choice value="span=1h">1 hour</choice>
<choice value="span=2h">2 hour</choice>
<default> </default>
</input>
</fieldset>
<row>
<panel>
<chart>
<search>
<query>index=_internal $CU$
| timechart $Span$ count by method</query>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
</form>