topic Re: Calculate earliest, latest with timepicker in Splunk Search

Calculate earliest, latest with timepicker

igschloessl — Wed, 30 Sep 2020 01:49:32 GMT

My case is that I have got a dashboard with panels where I have a global time picker $global_pckr$
I need to calculate the latest timespan for a specific panel, when the user picks a too wide timespan.

index=proxy src=$ip$
[|gentimes start=-1 | addinfo | eval earliest=$global_pckr.earliest$, latest=relative_time($global_pckr.earliest$, "+7d"]
| stats count min(_time) as end max(_time as start by action src url

I get the Error: Unable to parse 156616... with format: %m/%d/%>:%H:%M:%S

How can I get this work?

Thank you in advance

Re: Calculate earliest, latest with timepicker

apcsplunk — Wed, 30 Sep 2020 01:49:37 GMT

Hi,
Few corrections i think:
1. No comma used in eval statements for creating multiple eval fields. Reference->
https://docs.splunk.com/Documentation/SplunkCloud/7.2.6/SearchReference/Eval
2. Stats usage is | stats min(_time) as end max(_time as start by action src url. if you want to add count also,then use | stats count as "new_label" Reference-> https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Stats

Re: Calculate earliest, latest with timepicker

richgalloway — Mon, 19 Aug 2019 12:47:13 GMT

"Correction" 1 is incorrect. The comma is required when performing multiple evals in a single statement.
"Correction" 2 implies the as clause is required. It is not.

Re: Calculate earliest, latest with timepicker

woodcock — Mon, 19 Aug 2019 16:37:05 GMT

You are combining things. If you are using $global_pckr.earliest$ and $global_pcker.latest$ then you do not need | addinfo because it is redundant. As far as, "How can you get this to work", you have not explained what exactly this is so there is no way that we can help you further.