topic Re: Splunk search query/queries for populating splunk supported timezones in dropdown type input. in Getting Data In

Splunk search query/queries for populating splunk supported timezones in dropdown type input.

waltz — Mon, 03 Jul 2017 09:22:17 GMT

I have several input types in my dashboard for which I have allotted different tokens. Now I have a requirement where I need a dropdown to be populated by the timezones supported by Splunk( The ones displayed after adjusting the user settings at Settings-> Access controls -> User-> User Name -> Edit account -> Time zone). I found a query to get the current timezone in which the user is working on using the query "| stats count | eval zone = strftime(now(), "%Z")". But I need ** separate search queries for all other timezones from the settings** as well. This would be much helpful or at least individual queries to get the IST, EST(ET), PST, GMT timezones in the dropdown input would be sufficient bare-minimally. Thank you.

Re: Splunk search query/queries for populating splunk supported timezones in dropdown type input.

rjthibod — Mon, 03 Jul 2017 12:14:51 GMT

According to this page (http://dev.splunk.com/view/java-sdk/SP-CAAAEJ7) all of the options are found here: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones.

I don't think you can easily generate that list in an ad-hoc search without using a lookup table / KV Store. Since that data is static, creating a lookup search based on the wikipedia page is probably the better option.

Re: Splunk search query/queries for populating splunk supported timezones in dropdown type input.

waltz — Mon, 03 Jul 2017 13:37:25 GMT

Thanks rjthibod for your answer. The thing is, I can even set the timezone values statically with a label and a value. But in my case, I will be needing to append another input type button's ad-hoc search/searchmanager with the timezone's search query upon changing this dropdown value onvaluechange by assigning a token value.

^ by doing something similar to the above search, I need to change the timestamp field data accordingly after getting retrieved from cassandra DB. That is why I need a search query for ET,PST,GMT and IST at least ,so that the timestamp value retrieved gets manipulated accordingly.

Re: Splunk search query/queries for populating splunk supported timezones in dropdown type input.

woodcock — Mon, 03 Jul 2017 17:55:31 GMT

Like this:

| rest/servicesNS/-/search/data/ui/manager splunk_server=local
| regex eai:data="Time zone" 
| head 1 
| rename eai:data AS _raw 
| table _raw 
| rex mode=sed "s/(?ms)^.*Default System Timezone --\"\/>[\s\r\n]+(.*?)<\/options>.*$/\1/" 
| eval raw=split(_raw, "<opt value=") 
| mvexpand raw 
| rex field=raw "^\"(?<value>[^\"]+)\"\s+label=\"(?<label>[^\"]+)\"" 
| fields - _raw raw
| search label="*" AND value="*"

Re: Splunk search query/queries for populating splunk supported timezones in dropdown type input.

rjthibod — Mon, 03 Jul 2017 18:17:08 GMT

Very nice @woodcock

Re: Splunk search query/queries for populating splunk supported timezones in dropdown type input.

woodcock — Mon, 03 Jul 2017 18:28:54 GMT

The nice thing about this that you can pass both the label and the value directly to the fieldset and recreate the exact same presentation as exists in the source dashboard.

Re: Splunk search query/queries for populating splunk supported timezones in dropdown type input.

waltz — Tue, 04 Jul 2017 09:39:32 GMT

Thanks for your answer, @woodcock! This seems to work fine in a normal ad-hoc search. But when I use this search query for my dropdown, the entire value fields seem to be converted like a string and as a result, I get only one value as a whole, whereas I need every label and value to be dynamic and get populated one by one. Also is it possible to change/manipulate the timestamp field(including offset) setting of the virtual index upon selecting a timezone from this dropdown I'm gonna create?

Re: Splunk search query/queries for populating splunk supported timezones in dropdown type input.

woodcock — Tue, 04 Jul 2017 14:37:03 GMT

I forgot that mvexpand does not work on _raw. See my updated answer.

Re: Splunk search query/queries for populating splunk supported timezones in dropdown type input.

waltz — Tue, 04 Jul 2017 15:08:12 GMT

Awesome @woodcock! This query will do! Thank you:)