topic Re: Splunk 6.x Dashboard Examples: When using Single Value Decorations, is it possible to show the timestamp instead of the value for when the last event occurred? in All Apps and Add-ons

Splunk 6.x Dashboard Examples: When using Single Value Decorations, is it possible to show the timestamp instead of the value for when the last event occurred?

Norling80 — Wed, 08 Apr 2015 07:23:08 GMT

Hi guys. When using the Single Value Decorations (extension available in the Splunk 6.x Dashboard Examples) is it possible to show the timestamp next to the decoration instead of the value for when the last event occurred, my XML and search looks like this:

        <searchString> "my base search" | stats count | rangemap field=value none=0-99 low=100-199 guarded=200-299  
        elevated=300-399 high=400-499 severe=500-599 default=none</searchString>
        <earliestTime>-15m</earliestTime>
        <latestTime>now</latestTime>
        <option name="classField">range</option>
        <option name="field">value</option

Re: Splunk 6.x Dashboard Examples: When using Single Value Decorations, is it possible to show the timestamp instead of the value for when the last event occurred?

markthompson — Wed, 08 Apr 2015 07:25:34 GMT

Yep.

Change value to _time

Re: Splunk 6.x Dashboard Examples: When using Single Value Decorations, is it possible to show the timestamp instead of the value for when the last event occurred?

Norling80 — Wed, 08 Apr 2015 07:36:18 GMT

Thanks Mark. I actually tried that and also experimented around the last(_time) command without any success. so that does not change anything. It still shows the amount of events returned by stats count.

Re: Splunk 6.x Dashboard Examples: When using Single Value Decorations, is it possible to show the timestamp instead of the value for when the last event occurred?

chimell — Wed, 08 Apr 2015 07:44:55 GMT

Hi Norling80

use

 <earliestTime>-15m@m</earliestTime>

instead of

 <earliestTime>-15m</earliestTime>

and retry

Re: Splunk 6.x Dashboard Examples: When using Single Value Decorations, is it possible to show the timestamp instead of the value for when the last event occurred?

markthompson — Wed, 08 Apr 2015 07:45:09 GMT

Hi Norling, give me a chance to get on my instance as we've done this before, I'll get back to you shortly

Re: Splunk 6.x Dashboard Examples: When using Single Value Decorations, is it possible to show the timestamp instead of the value for when the last event occurred?

markthompson — Wed, 08 Apr 2015 07:54:24 GMT

@Norling80 - Have you changed the rangemap? Splunk uses the rangemap field as a judgement.

Re: Splunk 6.x Dashboard Examples: When using Single Value Decorations, is it possible to show the timestamp instead of the value for when the last event occurred?

markthompson — Wed, 08 Apr 2015 08:47:07 GMT

Hi Norling,
Try this;

<searchString> "my base search" | stats count | table _time value | rangemap field=value none=0-99 low=100-199 guarded=200-299  
         elevated=300-399 high=400-499 severe=500-599 default=none</searchString>
         <earliestTime>-15m</earliestTime>
         <latestTime>now</latestTime>
         <option name="classField">range</option>
         <option name="field">value</option

Re: Splunk 6.x Dashboard Examples: When using Single Value Decorations, is it possible to show the timestamp instead of the value for when the last event occurred?

stephanefotso — Wed, 08 Apr 2015 09:26:54 GMT

Here is my help. just test the example bellow. just know that concerning the time, you can only set hours, or minutes, or seconds, or days, ....

<dashboard stylesheet="single_decorations.css">
    <label>Single Value Decorations</label>
    <description>
        This example shows decorations for the single value visualization using some custom CSS. The icon are displayed using the Splunk Icon Font.
    </description>
    <row>
        <single>
          <searchString>index=_internal| stats count as value by date_hour | eval date_hour = 8 | rangemap field=date_hour none=0-5 low=6-10 guarded=10-15</searchString>
            <latestTime>now</latestTime>
            <option name="classField">range</option>
            <option name="field">date_hour</option>
        </single>
        <single>
            <searchString>index=_internal|eval time=strftime(_time, "%H")| stats count as value by time| eval time =09| rangemap field=time none=0-5 low=6-10  guarded=11-20 default=none </searchString>
            <earliestTime>-1d</earliestTime>
            <latestTime>now</latestTime>
            <option name="classField">range</option>
            <option name="field">time</option>
        </single>
  </row>
</dashboard>

Re: Splunk 6.x Dashboard Examples: When using Single Value Decorations, is it possible to show the timestamp instead of the value for when the last event occurred?

Norling80 — Wed, 08 Apr 2015 13:05:17 GMT

Thanks for the swift assistance guys, looks like it´s not possible to get the entire timestamp which is the only thing i´m interested in 🙂

Any other good ideas on how to solve this?

Re: Splunk 6.x Dashboard Examples: When using Single Value Decorations, is it possible to show the timestamp instead of the value for when the last event occurred?

markthompson — Wed, 08 Apr 2015 13:23:30 GMT

Hi Norling,
Which answer are you trying to use? if you're using @stephanefotso 's answer, change eval time=strftime(_time, "%H") to eval time=strftime(_time, "%d/%m/%Y %H:%M:%S")