topic Re: Using a time selector in a .dashboard - how can i make modifications to latest time in a query? in Dashboards & Visualizations

Using a time selector in a .dashboard - how can i make modifications to latest time in a query?

rvoninski_splun — Fri, 02 Jun 2017 19:08:12 GMT

I have a dashboard and set of queries where i want to give someone the ability to select the time range. A time range isnt really as important as giving me the selection for latest time. Since I am building queries based on that. Specifically in the example below I want to only show the data for the day previous to the latest time selected in other words I want to make the time selection

earliest=now-48hours(snap to day)

latest=now-24hours(snap to day)

Here is the query I am trying to use but it isnt working as written. The time token name is TimeRange

 <query>host=host123 index=security123 sourcetype="SplunkLog123" earliest=$TimeRange.latest$-2d@d latest=$TimeRange.latest$-1d@d</query>

Thanks for your help in advance.

Re: Using a time selector in a .dashboard - how can i make modifications to latest time in a query?

micahkemp — Fri, 02 Jun 2017 19:18:43 GMT

You can set earliest/latest using a subsearch if necessary. In this case, you can set earliest using an eval based on info_max_time, created via addinfo.

Try this, which should set earliest to be essentially latest-1d:

host=host123 index=security123 sourcetype="SplunkLog123"  [| makeresults | addinfo | eval earliest=relative_time(info_max_time, "-1d") | table earliest]

Edit:

Try this instead:

[| makeresults | addinfo | eval earliest=relative_time(info_max_time, "-1d") | table earliest]  host=host123 index=security123 sourcetype="SplunkLog123"

I've seen issues before with Splunk interpreting earliest=/latest= as key/values pairs of the data itself (instead of time modifiers) if they aren't at the start of the query.

Re: Using a time selector in a .dashboard - how can i make modifications to latest time in a query?

rvoninski_splun — Fri, 02 Jun 2017 20:44:49 GMT

LOL - I should have just emailed you Micah!!

Im not quite getting this to work yet - the query is returning by itself from within splunk search no results when the subsearch is added. by itself the subsearch is returning

| makeresults  | addinfo | eval earliest=relative_time(info_max_time, "-1d") | table earliest

Result a one element table with the following value --> 1496349788.000000

Any idea on what to check? Have you been able to get this to run against your own queries with this subsearch?

Thanks.
RV

Re: Using a time selector in a .dashboard - how can i make modifications to latest time in a query?

rvoninski_splun — Fri, 02 Jun 2017 20:53:00 GMT

So close - I think ive got it working we needed to modify the latest time to get the events to show the events i want . Only mod made

[| makeresults | addinfo | eval latest=relative_time(info_max_time, "-1d") | table latest]

Going to test within dashboards now.

Re: Using a time selector in a .dashboard - how can i make modifications to latest time in a query?

woodcock — Sat, 03 Jun 2017 16:53:42 GMT

Like this:

<query>host=host123 index=security123 sourcetype="SplunkLog123" [|makeresults | earliest=$TimeRange.latest$-172800, latest=$TimeRange.latest$-86400| table earliest latest | format "" "" "" "" "" ""]</query>