topic Re: How to get earliest and latest from time filter? in Getting Data In

How to get earliest and latest from time filter?

asubramanian — Fri, 11 Oct 2019 19:14:08 GMT

I am using a dashboard with some filters including the built int time input for the events.

For the queries in the chart Iam using $duration.earliest$ and $duration.latest$ for earliest and latest window.

below is a sample query in the dashboard and how I am fetching the time from the time input filter.

index=my_index
 earliest=$duration.earliest$
 latest=$duration.latest$
 "Log Message"
 | timechart count by sourcetype limit=0

It works for the preset for relative duration like last 7 days, 30 days etc but when I click All time it doesnt work. Looking at the query both this are set to empty values.

For all time shouldn't the evaluated values be set as earliest=1 latest=now ?

Similar error when I use realtime when I use real time of 10 day window the query becomes
earliest=rt-10d latest=rtnow and errors out as " Invalid value "rt-10d" for time term 'earliest'"

Edit: if search is not enabled in the times.conf does it return this error ?

Rest of Presets, relative and time range works without these issues.

Re: How to get earliest and latest from time filter?

woodcock — Fri, 11 Oct 2019 19:27:48 GMT

Add this to your SPL:

... | addinfo | rename info_* AS _info_*

Then use $results._info_min_time$ and $results._info_max_time.

Re: How to get earliest and latest from time filter?

asubramanian — Fri, 11 Oct 2019 21:44:36 GMT

index=my_index
| addinfo | rename info_* AS _info_*
earliest=$results._info_min_time$
latest=$results._info_max_time$
"Log Message"
| timechart count by sourcetype limit=0

this is what i am using after change from $duration.earliest$ & $duration.latest$ to the above query, chart gets stuck at waiting for input even when i select some time in my time query.

@woodcock Can you please let me know what I am doing wrong here ?

Re: How to get earliest and latest from time filter?

asubramanian — Wed, 30 Sep 2020 02:31:49 GMT

Also info_min_time and info_max_time both seem to be fixed values and not configurable from the time search input i.e info_max_time is always infinity and info_min_time is always 0

Re: How to get earliest and latest from time filter?

woodcock — Sat, 12 Oct 2019 17:44:06 GMT

I thought that you were talking about dashboards and simplexml. You are going to have to back ALL THE WAY UP and explain exactly what you are doing. It makes no sense at all to me why you would need to do any of this and not just rely on the timepicker's natural behaviour.

Re: How to get earliest and latest from time filter?

asubramanian — Tue, 15 Oct 2019 19:36:05 GMT

@woodcock I am using the time picker. as I mentioned earlier. I have shared the sample query on how I am getting the value from the time picker in my queries. for 'All' and relative times this doesnt work.

Re: How to get earliest and latest from time filter?

woodcock — Wed, 16 Oct 2019 20:35:09 GMT

You are doing it wrong. Your dashboard panel should look like this (you can see that the time token values are in the <earliest>$field1.earliest$</earliest> and <latest>$field1.latest$</latest> XML specifiers, NOT in the SPL!

<form>
  <label>Demo Solution</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=my_index AND "Log Message" | timechart limit=0 count BY sourcetype</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>

Check the Dashboard Examples app.

Re: How to get earliest and latest from time filter?

asubramanian — Wed, 16 Oct 2019 23:18:38 GMT

Thanks a lot @woodcock passing the filter to tags instead of filter in query language worked.