topic Re: time picker in Splunk Search

time picker

seanmylne — Tue, 29 Sep 2020 17:36:04 GMT

Hi guys,

I am trying to show 2 tables - one for the time frame using a time-picker and one search for the same time frame but for 7 days ago.

Below is my query using field1 as my time picker.

Below is my "query" in my dashboard.

I am using count and not timechart so cannot use timewrap as i want to show a count of response times 0-1, 2-3 and so on.

Thanks
Sean

Re: time picker

nryabykh — Tue, 29 Sep 2020 17:32:14 GMT

It seems to be a number of problems with earliest=$field1.earliest$-86400m latest=$field1.ealiest$-86385m. First of all, you cannot subtract "86400m", because Splunk holds "86400m" as a string. It's better to use earliest=$field1.earliest$-86400, without "m". Second, if you want to get "This Time 7 Days Ago", you should subtract 7*24*3600 = 604800, rather than 86400. At last, this notation fails if you select relative time in your initial time picker. In this case $field1.earliest$ equals to "-15m" or smth like that and it will be difficult to count "-15m-604800".

You can try the following workaround. Add a search on your dashboard with this query:

| makeresults | addinfo | eval earliest7=info_min_time-7*24*3600, latest7=if(info_max_time="+Infinity", now()-7*24*3600, info_max_time-7*24*3600)

$field1.earliest$
$field1.latest$

<set token="earliest7">$result.earliest7$</set>
<set token="latest7">$result.latest7$</set>

Then use tokens $field1.earliest$ and field1.latest as earliest and latest bounds in "today" subsearch and use tokens $earliest7$ and $latest7$ as earliest and latest bounds in "7 days ago" subsearch.

Re: time picker

seanmylne — Wed, 10 Jan 2018 21:37:17 GMT

Hi Nryabykh,

Thanks for the reply. tbh i tried it with and without the m and could not get it to play 😞

I have also tried to add your suggestions but without success. I have added my panel and start of the form:-

SM_Test

<input type="time" token="field1" searchWhenChanged="true">
  <label></label>
  <default>
    <earliest>-15m</earliest>
    <latest>now</latest>
  </default>
</input>

<init>
  <set token="earliest7">$result.$earliest7$</set>
  <set token="latest7">$result.$latest7$</set>
</init>

<panel>
  <table>
    <title>Test App</title>
    <search>
      <query>makeresults | addinfo | eval earliest7=info_min_time-7*24*3600, latest7=if(info_max_time="+Infinity", now()-7*24*3600, info_max_time-7*24*3600) 
      host="xxx-xxx-xxx" sourcetype="alarm_metric" earliest=earliest7$ latest=latest7$ | spath "Message.SourceApp" | search "Message.SourceApp"=xxxx 
      | eval spath='Message.EventMessage' | rex field=spath "took (?P&lt;elapsed&gt;\S+)" | eval elapsed = elapsed/1000 
      | table _time spath, host elapsed | eval ReportKey="This Time 7 Days Ago"  | append [search host="xxx-xxx-xxx" sourcetype="alarm_metric" earliest=$field1.earliest$ latest=$field1.latest$ 
      | spath "Message.SourceApp" | search "Message.SourceApp"=xxxx | eval spath='Message.EventMessage' | rex field=spath "took (?P&lt;elapsed&gt;\S+)" | eval elapsed = elapsed/1000 
      | table _time spath, host elapsed | eval ReportKey="Today"] | chart count by elapsed span=1 ReportKey</query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
    </search>
    <option name="drilldown">none</option>
  </table>
</panel>

Using the above i get an error stating "Search is waiting for input...."

Not sure where i am going wrong.

Thanks
Sean

Re: time picker

micahkemp — Thu, 11 Jan 2018 05:02:42 GMT

The previous answer wanted you to have two searches, one for your panel, one that is separate from any panel and really just sets the tokens. For your panel search, something like this:

       <query>host="xxx-xxx-xxx" sourcetype="alarm_metric" | spath "Message.SourceApp" | search "Message.SourceApp"=xxxx 
       | eval spath='Message.EventMessage' | rex field=spath "took (?P<elapsed>\S+)" | eval elapsed = elapsed/1000 
       | table _time spath, host elapsed | eval ReportKey="This Time 7 Days Ago"  | append [search host="xxx-xxx-xxx" sourcetype="alarm_metric"
       | spath "Message.SourceApp" | search "Message.SourceApp"=xxxx | eval spath='Message.EventMessage' | rex field=spath "took (?P<elapsed>\S+)" | eval elapsed = elapsed/1000 
       | table _time spath, host elapsed | eval ReportKey="Today"] | chart count by elapsed span=1 ReportKey</query>
       <earliest>$earliest7$</earliest>
       <latest>$latest7$</latest>

Note I moved $earliest7$ and $latest7$ out of the search string and into the earliest/latest fields below. But if you do need to use a token in a search string, you need to make sure it's surrounded by $ (on both sides). Your pasted XML had some instances of $ on only one side of the token name.

And then another search higher up in the dashboard to set the tokens:

   <search id="set_time">
     <query><![CDATA[| makeresults | addinfo | eval earliest7=info_min_time-7*24*3600, latest7=if(info_max_time="+Infinity", now()-7*24*3600, info_max_time-7*24*3600)]]></query>
     <done>
       <condition match="'job.resultCount' == 1">
          <set token="earliest7">$result.earliest7$</set>
          <set token="latest7">$result.latest7$</set>
       </condition>
     </done>
   </search>

Consider referencing this recent answer I posted regarding how this may look as a complete XML example.

Re: time picker

nryabykh — Thu, 11 Jan 2018 10:19:17 GMT

Hi, Sean.
Sorry for bad formatting in my answer, I was confused a bit about text input controls here. Micahkemp represented it clearly in the answer below.

Re: time picker

micahkemp — Thu, 11 Jan 2018 15:27:38 GMT

If your question was answered, please accept the answer you consider most valid/helpful, so this answer no longer appears open.

Re: time picker

seanmylne — Fri, 12 Jan 2018 17:38:17 GMT

Hi nyabykh,

Even with it explained a little bit more i can not get either to work. I have tried various permutations of following both advice but either getting waiting for input or invalid start time.

Thanks
Sean

Re: time picker

seanmylne — Fri, 12 Jan 2018 17:41:30 GMT

Hi micahkemp,

Thanks for the advice. However i can not actually get it work. Not sure what i am missing but i either get invalid start time or waiting for input when i am trying to get it to work.

Thanks
Sean

Re: time picker

micahkemp — Sat, 13 Jan 2018 05:40:29 GMT

Can you paste the XML of your dashboard that is not working?

Re: time picker

seanmylne — Sat, 13 Jan 2018 09:47:03 GMT

Hi micahkemp

This is what i have - which errors with invalid earliest time.

SM_Test

<query>
  <![CDATA[| makeresults | addinfo | eval earliest7=info_min_time-7*24*3600, latest7=if(info_max_time="+Infinity", now()-7*24*3600, info_max_time-7*24*3600)]]>
</query>
<done>
  <condition match="'job.resultCount' == 1">
    <set token="earliest7">$result.earliest7$</set>
    <set token="latest7">$result.latest7$</set>
  </condition>
</done>


<input type="time" token="field1" searchWhenChanged="true">
  <label></label>
  <default>
    <earliest>-15m</earliest>
    <latest>now</latest>
  </default>
</input>


<panel>
  <table>
    <title>xyz</title>
    <search>
      <query>host="xxx-xxx-xxx" sourcetype="alarm_metric"  |spath "Message.SourceApp" | search "Message.SourceApp"=xyz | eval spath='Message.EventMessage' | rex field=spath "took (?P&lt;elapsed&gt;\S+)" | eval elapsed = elapsed/1000 | table _time spath, host elapsed | eval ReportKey="This Time 7 Days Ago"  | append [search host="xxx-xxx-xxx" sourcetype="alarm_metric" $earliest$ $latest$ | spath "Message.SourceApp" | search "Message.SourceApp"=xyz | eval spath='Message.EventMessage' | rex field=spath "took (?P&lt;elapsed&gt;\S+)" | eval elapsed = elapsed/1000 | table _time spath, host elapsed | eval ReportKey="Today"] | chart count by elapsed span=1 ReportKey</query>
      <earliest>$earliest7$</earliest>
      <latest>$latest7$</latest>
    </search>
    <option name="drilldown">none</option>
  </table>
</panel>

Thanks
Sean

Re: time picker

mstark31 — Tue, 27 Nov 2018 21:02:32 GMT

Could there be a syntax error with the fact that there are 3 $ in the token setting expression?

$result.$earliest7$