topic Re: Problem in enhancing search range by a Day before than actual selected range, ex : if user selects today, show today+yesterday results. in Dashboards & Visualizations

Problem in enhancing search range by a Day before than actual selected range, ex : if user selects today, show today+yesterday results.

bharathdoitnow — Tue, 20 Mar 2018 04:52:15 GMT

I am creating a dashboard which shows results based on search range.

Problem Statement :
1. user fills a form in the web application.
2. Logs into Splunk dashboard and looks for logs by choosing "today" in time picker
3. no results comes up as the logs were tagged under a day before time stamp.
4. when user changes time to yesterday or last 2 days, results are shown.

So I want to enhance the user search range + 1 day before in the back end. I tried to do but it is is not working as expected.

What I tried:

Time picker:

Re: Problem in enhancing search range by a Day before than actual selected range, ex : if user selects today, show today+yesterday results.

bharathdoitnow — Tue, 20 Mar 2018 05:36:20 GMT

     <earliest>$shared_time.earliest$-24h</earliest> earliest time in screenshot was a typo, anyway thats not a working solution.

Re: Problem in enhancing search range by a Day before than actual selected range, ex : if user selects today, show today+yesterday results.

niketn — Tue, 20 Mar 2018 06:04:42 GMT

@bharathdoitnow, you would need to pass on the Time input tokens to a dummy search and then use $job.earliestTime$
which is default token for <search> handler. PS: As per your question you need to show -24h data along with selected time range, which means you don't need to adjust latest time just the earliest time. You can also refer to my previous answer for details (one more solution approach using addinfo https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html)

Please try the following run anywhere dashboard and confirm:

<form>
  <label>Adjust Search Earliest Time</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <search>
    <query>| makeresults
    </query>
    <done>
      <set token="tokAdjustedEarliestTimeString">$job.earliestTime$</set>
      <eval token="tokAdjustedEarliestTimeEpoch">relative_time(strptime($job.earliestTime$,"%Y/%m/%dT%H:%M:%S"),"-24h")</eval>
    </done>
    <earliest>$tokTime.earliest$</earliest>
    <latest>$tokTime.latest$</latest>
  </search>
  <row>
    <panel>
      <title>tokAdjustedEarliestTimeString: "$tokAdjustedEarliestTimeString$" | tokAdjustedEarliestTimeEpoch= "$tokAdjustedEarliestTimeEpoch$"</title>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!=INFO
          | timechart count</query>
          <earliest>$tokAdjustedEarliestTimeEpoch$</earliest>
          <latest>$tokTime.latest$</latest>          
        </search>
      </table>
    </panel>
  </row>
</form>

Re: Problem in enhancing search range by a Day before than actual selected range, ex : if user selects today, show today+yesterday results.

niketn — Tue, 20 Mar 2018 13:30:56 GMT

@bharathdoitnow, have you tried the run anywhere dashboard above.

Re: Problem in enhancing search range by a Day before than actual selected range, ex : if user selects today, show today+yesterday results.

bharathdoitnow — Fri, 23 Mar 2018 02:34:39 GMT

Thank you @Niketnilay, It looks very easy now. I am trying it out today....

Re: Problem in enhancing search range by a Day before than actual selected range, ex : if user selects today, show today+yesterday results.

niketn — Fri, 23 Mar 2018 04:15:43 GMT

@bharathdoitnow, sure if it makes sense surely it would work. Try out and confirm! All the best 🙂

Re: Problem in enhancing search range by a Day before than actual selected range, ex : if user selects today, show today+yesterday results.

bharathdoitnow — Mon, 26 Mar 2018 04:19:38 GMT

@niketnilay Thank you for the answer.. It worked and Solved my Major issue to search with a standard Timestamp.

Re: Problem in enhancing search range by a Day before than actual selected range, ex : if user selects today, show today+yesterday results.

niketn — Mon, 04 Jun 2018 17:39:42 GMT

@bharathdoitnow, if it worked for you please dont forget to accept the answers and up vote the comments that helped!

Re: Problem in enhancing search range by a Day before than actual selected range, ex : if user selects today, show today+yesterday results.

niketn — Sat, 29 Dec 2018 14:31:44 GMT

@bharathdoitnow stumbled on this old post. If your issue was resolved kindly accept this answer to mark the question as answered and assist others facing similar issue! 🙂