![]() Panel 3 now shows the different categories at the x axis, but the value at the yaxis is incorrect (everything is only in the second column summed up). Results form panel 1 and 2 are now merged in 1 line as verified using search. Panel 1 and 2 now shows "No result found" instead of the previous column chart like what was intended: Panel 3 shows "Search is waiting for input"Ģ. However I faced two issues here and would like to seek your help on it:ġ. ![]() | stats values(tmp) as tmp values(Total) as Total I've tried to modify it to by adding the following at panel 1 and panel 2: If you want to keep multi-values to other panel, try to make single value. | stats values(tmp) as tmp values(total) as total Here's a sample of my failed attempt: Difference between Panel 1 and Panel 2 Is there anyway I can calculate the difference in measurement in a separate Panel within the same dashboard? Perhaps passing a token from the eval results from panel 1 and 2, and then calculating at a separate panel? Is there a way to pass a value from 1 panel to another? For example in a dashboard, Panel 1 shows the measurement based on time picker1 and Panel 2 show the measurement based on time picker2. We are thinking of just showing the difference between period A and B. Seems like an overlay chart may not be the most flexible way to approach this. Thanks for your reply, I agree with your point. | stats sum(value) as count by sourcetype | mvexpand result | fields - result1 result2 Panel 2 time range $field2.earliest$ to $field2.latest$ ![]() Index=_internal (earliest=$field2.earliest$ latest=$field2.latest$) Panel 1 time range $field1.earliest$ to $field1.latest$ | eventstats values(tmp) as tmp values(total) as total Index=_internal (earliest=$field1.earliest$ latest=$field1.latest$) Question 2: How do I set the time picker token to the time(or period selected in timepicker) and use it in the dashboard panel's "?"), "%b") Question 1: How can I change the query to allow the time picker's token (a total of 2 separate time periods) to be passed it ("eval month=." portion?) to eventually plot it in the xyseries? | stats sum(EFG) as XYZ by condition1 month | stats count as ABC by month condition1 condition2 setting earliest as and latest as eval month=strftime(_time,"%m") Here is the solution from the previous post which compares between the previous month and the month before that. Index=aiam_itsm_ticket_ptest_ctest_index * _raw="** " problem_mapping="" system_user=" " | fillnull value="Not Defined"|eval time_submitted = strptime(time_submitted, "%m/%d/%Y %I:%M:%S %p") | eval ticket_start_time = $start_tok.earliest$ | eval ticket_end_time = $start_tok.Sample of requirement (the time period should be selected based on 2 separate timepickers): Afterwards, I converted it back again to a readable format using: strftime(time_submitted, "%m/%d/%Y %I:%M:%S %p"). I was able to resolve the issue by converting the time_submitted to: strptime(time_submitted, "%m/%d/%Y %I:%M:%S %p") then using the earliest and latest value from my date time dropdown token. Index=aiam_itsm_ticket_ptest_ctest_index * _raw=" " problem_mapping="" system_user=" " ticket_source="" | fillnull value="Not Defined"| search Assignee_Site_Country = $tok_country$ | ***where (time_submitted > " 12:00:00 AM" AND time_submitted ticket_start_time AND submitted_date < ticket_end_time)* | search Ticket_Type=Incident | table ticket_number ,problem_abstract, severity, time_submitted, Last_Modified_Date,service_restored_date, owner_name, current_ticket_state, work_queue, asset_id, Tool, ticket_source,Ticket_Type, system_user, Assignee_Site_Country | rename ticket_number as "Incident Number" ,problem_abstract as "Description", time_submitted as "Time Submitted", severity as "Severity", owner_name as "Ticket Assignee", current_ticket_state as "Status", work_queue as "Assignment Queue", asset_id as "Portfolio Group", Tool as "Asset", ticket_source as "Ticket Source", system_user as "Requestor", Assignee_Site_Country as "Assigned Country", service_restored_date as "Resolved date", Last_Modified_Date as "Last Modified Date" Please help on what should be the correct query for the date time pickers and if it is possible. The idea is, the user should be able to filter the report using start time and end time. However, when I tried replacing the value of time_submitted with value from date time picker token, the report shows as does not load and is just returning no results found. ![]() Whenever I use the query below on a search, it works fine. Our report contains a column named time_submitted where the tok_starttime should filter the value from. I'm trying to utilize the date time picker (tok_starttime) for my start time and end time.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |