topic Re: Custom Splunk query with relative time in Dashboards & Visualizations

Custom Splunk query with relative time

faustf — Wed, 22 Feb 2017 07:51:42 GMT

Hi guys,
I'm trying to create a custom dashboard.
I've added a DropDown input with the following parameters:

token failureId
query= myquery
Field for label= Date
Field for Value= FailureID

I would like to create a graph line where the time range is between: ($failureId$/1000)-15minutes and ($failureId$/1000)

how can i configure the chart panel to perform this query?
thanks

Re: Custom Splunk query with relative time

nickhills — Wed, 22 Feb 2017 08:31:26 GMT

I am not sure what you mean by ($failureId$/1000)
Do you mean that your failure id is a large number eg 37000, and you are trying to convert this to 37?
or - are you trying to trying to divide the number of occurrences of a given failure id by 1000?
Whilst i am asking questions, what is the significance of -15 from a failure id?

Re: Custom Splunk query with relative time

niketn — Wed, 22 Feb 2017 08:41:45 GMT

Another thing you need to explain about -15 min. Is it 15 minutes prior to the DateTime value selected as Label in the Dropdown?

Re: Custom Splunk query with relative time

faustf — Wed, 22 Feb 2017 08:48:08 GMT

The failureID is a TimeStamp like this: 1487753100000000 but to let Splunk treat this timestamp I have to perform this division: 1487749956/1000000 (sorry it is not 1000 but 1000000)

For example the following is a query that I created and it's working

index=myindex sourcetype="csv" Resource=myres  myfield=* FailureID=*  | eval _time=(FailureID/1000000) | table _time, myfield

Then I want to get all the logs that are between my (FailureIDTimestamp - 15 minutes) and FailureIDTimestamp.

Re: Custom Splunk query with relative time

faustf — Wed, 22 Feb 2017 08:51:09 GMT

Yes, the user select the failureID (that is my type of timestamp) in the dropdown (the token of the dropdown is $failureId$) and I what to perform a query to create a line chart using this time range: [$failureId$/1000000 - 15m, $failureId$/1000000 ]

Re: Custom Splunk query with relative time

rjthibod — Wed, 22 Feb 2017 09:45:25 GMT

Assuming your running Splunk 6.3 or newer, you can use the <change> element on the dropdown to set the time values accordingly. The following assumes you are using a global time picker atop of the dashboard. If you are using a timepicker with a specific name, you will need to change the token names to form.<TIME_TOKEN_NAME>.earliest and form.<TIME_TOKEN_NAME>.latest.

<input token="failureId" type="dropdown">
   ...
  <change>
    <condition label="*">
      <eval token="earliest">round('value'/1000000, 3) - 15*60</set>
      <eval token="latest">round('value'/1000000, 3)</set>
    </condition>
  </change>
</input>

Re: Custom Splunk query with relative time

faustf — Wed, 22 Feb 2017 10:14:50 GMT

This seems interesting but I don't need to modify the dropdown, instead, I need to modify the query that create the line chart based on the value selected in the dropDown:

<panel>
      <input type="dropdown" token="failureID">
        <label>FailureID</label>
        <fieldForLabel>Date</fieldForLabel>
        <fieldForValue>FailureID</fieldForValue>
        <search>
          <query>myquery</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
      </input>
      <chart>
        <search>
          <query>index=myindex ALARM="ALARM" | timechart count</query>
          <earliest>$failureID$/1000 - 15 minutes</earliest>
          <latest>$failureID$/1000</latest>
        </search>
        <option name="charting.chart">line</option>
      </chart>
    </panel>

is it possible?

Re: Custom Splunk query with relative time

faustf — Wed, 22 Feb 2017 10:29:41 GMT

This is working

<chart>
        <search>
          <query>index=myindex ALARM="ALARM" | timechart count</query>
          <earliest>$failureID$</earliest>
          <latest></latest>
        </search>
        <option name="charting.chart">line</option>
</chart>

But I need to subtract -15 minute from <earliest>$failureID$</earliest>

Re: Custom Splunk query with relative time

rjthibod — Wed, 22 Feb 2017 10:37:16 GMT

The example I gave you should do what you want because it is directly modifying the search time period for the chart. I suggsest you try what I posted after you remove the earliest and latest from the chart.

Re: Custom Splunk query with relative time

niketn — Wed, 22 Feb 2017 10:50:48 GMT

You would need to code Dropdown change event because you are trying to perform calculation on selection of value in Dropdown.

You also need to
- Either provide a default value for Dropdown and enable search on change to allow your dashboard to load for the first time.
- Or else set depends in the second panel on the tokens $Earliest$ and $Latest$ because for the first time Panel can not be displayed without these values.

  <change>
    <eval token="Earliest">relative_time($value$/1000000,"-15m")</eval>
    <eval token="Latest">$value$/1000000</eval>
  </change>

Once you have set the token in the Dropdown on selecting/changing dropdown value, you can use the same in your second panel as you have mentioned before... i.e. by adding following to your search.

      <earliest>$Earliest$</earliest>
      <latest>$Latest$</latest>

Re: Custom Splunk query with relative time

faustf — Wed, 22 Feb 2017 11:03:46 GMT

you are right it worked.