topic Re: Converting time in Time token to limit results till a particular date in Splunk Search

Converting time in Time token to limit results till a particular date

pushpender07 — Wed, 26 Jul 2017 21:44:47 GMT

I need to create a panel in dashboard which gives me list of activities till 23rd July 2017. Now, I don't want the start time to be fixed but it to be user defined in the panel, so I have created a dropdown where users can select time duration. Now, endtime ensures the output never goes beyond 23rd July. But I want the start time to be dynamic based on what user select. So if user selects last 30 days, start time should be 25th June and results should be from 25th June to 23 July. When I run the below query, it gives a parse error. Any solution to this please. How can I set starttime based on what user selects in the dropdown.

  <title>Activities (till 23rd July 2017)</title>
  <input type="time" token="time_token">
    <label>Select Time duration</label>
    <default>
      <earliest>-30d@d</earliest>
      <latest>now</latest>
    </default>
  </input>

    <search>
      <query>index=ABC sourcetype=server123 starttime="$time_token.earliest$" endtime="07/23/2017:00:00:00" |stats count by activity
      <earliest>-30d@d</earliest>
      <latest>now</latest>
      <sampleRatio>1</sampleRatio>

</panel>

Re: Converting time in Time token to limit results till a particular date

sbbadri — Thu, 27 Jul 2017 04:18:20 GMT

Try below, i have converted July 23rd, 2017 to epoch time

<query>index=ABC sourcetype=server123 earliest=$time_token.earliest$ latest=1500782400 |stats count by activity</query>

<query>index=ABC sourcetype=server123 starttime=$time_token.earliest$ endtime=1500782400 |stats count by activity</query>

Re: Converting time in Time token to limit results till a particular date

niketn — Thu, 27 Jul 2017 05:32:19 GMT

@pushpender07, Using Time Control when the latest time is fixed and earliest keeps on changing can be confusing. For example "Last 7 Days" option in Time Control on 07/27 will set the earliest date to 07/20. When ideally "7 Days ago" option should be present to allow earliest time as 07/17 when the last date is fixed at 07/23. Using time control can be confusing/erroneous when someone selects 07/26 or even Yesterday for earliest time then the Search will fail as fixed latest time 07/23 can not be earlier than earliest time.

You can create your own dropdown to set valid earliest time.

Please find run anywhere code for the two options

  <search id="fromTimeControl">
    <query>|makeresults</query>
    <earliest>$selEarliestFromTimeControl.earliest$</earliest>
    <done>
      <eval token="tokEarliestFromTimeControl">strptime($job.earliestTime$,"%Y-%m-%d %H:%M:%S")</eval>
    </done>
  </search>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <input type="time" token="selEarliestFromTimeControl" searchWhenChanged="true">
        <label>Select Earliest (Time Control)</label>
        <default>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </default>
      </input>
    </panel>
    <panel>
      <input type="dropdown" token="selEarliestFromDropDown" searchWhenChanged="true">
        <label>Select Earliest Time (Dropdown)</label>
        <choice value="-30d">30 days before</choice>
        <choice value="-7d">7 days before</choice>
        <choice value="-1d">1 day before</choice>
        <change>
          <eval token="tokEarliestFromDropDown">relative_time(strptime("07/23/2017:00:00:00","%m/%d/%Y:%H:%M:%S"),$value$)</eval>
        </change>
        <default>-7d</default>
      </input>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Search from Time Control</title>
        <search>
          <query>index="_internal" sourcetype="splunkd" log_level!="INFO" earliest="$tokEarliestFromTimeControl$" latest="07/23/2017:00:00:00"| timechart count</query>
        </search>
        <option name="charting.chart">column</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Search from Time Dropdown</title>
        <search>
          <query>index="_internal" sourcetype="splunkd" log_level!="INFO" earliest="$tokEarliestFromDropDown$" latest="07/23/2017:00:00:00"| timechart count</query>
        </search>
        <option name="charting.chart">column</option>
      </chart>
    </panel>
  </row>

Re: Converting time in Time token to limit results till a particular date

pushpender07 — Thu, 27 Jul 2017 19:10:20 GMT

Hi, Thanks for the input. This does not solve the issue as I get a parse error when I try to use this.

Re: Converting time in Time token to limit results till a particular date

pushpender07 — Thu, 27 Jul 2017 19:10:49 GMT

Hi, I will try to use it. As I am new to splunk, it might take time for me to figure this out. Thanks!

Re: Converting time in Time token to limit results till a particular date

sbbadri — Thu, 27 Jul 2017 19:20:48 GMT

can you paste full error.

Re: Converting time in Time token to limit results till a particular date

pushpender07 — Thu, 27 Jul 2017 19:53:18 GMT

I get the following error "Unable to parse -30d@d with format: %m/%d/%Y:%H:%M:%S".
time_token.earliest is -30d@d by default

Re: Converting time in Time token to limit results till a particular date

sbbadri — Tue, 29 Sep 2020 15:05:56 GMT

try below

<form>
<label>test_tr</label>
<fieldset submitButton="false">
<input type="time" token="time_token">
<label>Select a time range before july 23rd</label>
<default>
<earliest>-30d@d</earliest>
<latest>1500782400 </latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=_internal sourcetype=splunkd group=queue earliest=$time_token.earliest$ latest=1500782400 | stats count by group _time | reverse</query>

</search>
</table>
</panel>
</row>
</form>

Re: Converting time in Time token to limit results till a particular date

pushpender07 — Thu, 27 Jul 2017 20:53:18 GMT

yup, this works. Thanks a bunch!