Solved: Re: How to use 2 different query in dashboard and ... - Page 2

Punnu · ‎04-04-2025

Hi All,

I have created one query and it is working fine in search. I am sharing part of code from dashboard. In first part of call if you see I have hardcoded by earliest and latest time . But i want to pass those as input values by selecting input time provided on dashboard and then remaining part of query I want to run for whole day or lets say another time range . becuse it is possible that request i have received during mentioned time might get process later at dayy.How can I achieve this . Also I want to hide few columns at end like message guid , request time and output time .

    <panel>
      <table>
        <title>Contact -Timings</title>
        <search>
          <query>```query for apigateway call```
index=aws* earliest="03/28/2025:13:30:00" latest="03/28/2025:14:35:00" 
Method response body after transformations: sourcetype="aws:apigateway"
| rex field=_raw "Method response body after transformations: (?&lt;json&gt;[^$]+)" 
| spath input=json path="header.messageGUID" output=messageGUID 
| spath input=json path="payload.statusType.code" output=status 
| spath input=json path="payload.statusType.text" output=text 
| spath input=json path="header.action" output=action 
| where status=200 and action="Create" 
| rename _time as request_time 
    ```dedupe is added to remove duplicates ```
| dedup messageGUID
| append 
```query for event brigdel```
    [ search index="aws_np" 
| rex field=_raw "messageGUID\": String\(\"(?&lt;messageGUID&gt;[^\"]+)" 
| rex field=_raw "source\": String\(\"(?&lt;source&gt;[^\"]+)" 
| rex field=_raw "type\": String\(\"(?&lt;type&gt;[^\"]+)" 
| where  source="MDM"   and type="Contact"  ```and messageGUID="0461870f-ee8a-96cd-3db6-1ca1f6dbeb30"```
    | rename _time as output_time  | dedup messageGUID
    ] 
| stats values(request_time) as request_time values(output_time) as output_time    by messageGUID
|  where isnotnull(output_time) and isnotnull(request_time)   
 | eval timeTaken=(output_time-request_time)/60| convert ctime(output_time)| convert ctime(request_time)
| eventstats avg(timeTaken) min(timeTaken) max(timeTaken) count(messageGUID)
| head 1</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>

Punnu

I got solution of this by following what is mentioned in https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367124#M108287

View solution in original post

Punnu · ‎04-06-2025

Could there a possibility this playing any role is error

ITWhisperer · ‎04-06-2025

That seems unlikely. What does the search job inspector show?

Punnu · ‎04-06-2025

ITWhisperer · ‎04-06-2025

What about your search job inspector

and search log (particularly the expanded index search

Punnu · ‎04-06-2025

it is showing error

Punnu · ‎04-06-2025

Hi @ITWhisperer ,

I am observing one thing when I am changing to following format , instead of space giving : (highlighted in red ) , then it is running but not getting values of earliest, latest. Not sure is this correct way to display values .

ITWhisperer · ‎04-06-2025

It is not clear where the _time>= and _time< are coming from but these are where the issue is being introduced. Do you have any restrictions etc. associated with the role?

PickleRick

@ITWhisperer This is actually what Splunk internally translates earliest and latest parameters to.

@PunnuThis is a very interesting issue because when I use an identical search on a 9.1.2 instance I just pulled and ran in my docker container on my laptop, it runs without any issues.

Try running your subsearch with added | format command and see what it returns (it should return the set of conditions for the outer search rendered as string.

| makeresults
| eval earliest=strptime("12/03/2025 13:00","%d/%m/%Y %H:%M")
| eval latest=relative_time(earliest,"+1d")
| table earliest latest
| format

Punnu

Hello @PickleRick ,even simple search is failing . I tried keeping it in [] also ,still erroring out

PickleRick

This is wrong syntax. You can't search from index and then do makeresults.

Punnu · ‎04-06-2025

Hi @ITWhisperer , I will try to find out this with our Splunk enterprise team . But if that is true, this should also happen in this case also where space between date and hrs is replaces by :

then it is running fine but I am not sure if it running correct timings which I mean is 12-March-2025 to 13-march-2025

How to use 2 different query in dashboard and hide few columns

Classic dashboard

panel

The Latest Cisco Integrations With Splunk Platform!

Enterprise Security Content Update (ESCU) | New Releases

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?