topic Re: How to add dynamic timewrap to dashboard? in Splunk Search

How to add dynamic timewrap to dashboard?

SShalaka — Tue, 19 Jul 2022 21:00:12 GMT

Hello everyone,

I want to be able to have a dynamic timewrap option on my dashboard. Based on the user input (of specific time range and a time wrap variable), i want some graphs on the dashboard to plot the events from that entered time range and also the events from the day before/ week before, based on the timewrap variable. Is this doable?

I have attached some messy code; not sure if this is doable. Thank you for your advice!

Re: How to add dynamic timewrap to dashboard?

bowesmana — Tue, 19 Jul 2022 22:19:02 GMT

You can't use variables from the top part of the search in the append subsearch. Subsearches run before the main search.

The solution is to do the earliest and latest calculations in a global search in the dashboard that is triggered from the user input and then set tokens based on that result in its <done> clause. Then those tokens can be used in this main search, which would then look something like

index=* other_criteria ((earliest=$earliest$ latest=$latest$) OR (earliest=$timewrap_earliest$ latest=$timewrap_latest$)) | rex... | timechart...

Global search could look something like

<search> <query> | makeresults | eval earliest=calc_earliest... | eval latest=calc_latest... | eval timewrap_earliest=calc_timewrap_earliest... | eval timewrap_latest=calc_timewrap_latest... </query> <done> <set token="earliest">$result.earliest$</set> <set token="latest">$result.latest$</set> <set token="timewrap_earliest">$result.timewrap_earliest$</set> <set token="timewrap_latest">$result.timewrap_latest$</set> </done> </search>

Hope this helps

Re: How to add dynamic timewrap to dashboard?

bowesmana — Tue, 19 Jul 2022 22:20:49 GMT

oh, and as for the 'wrapping', instead of adding _time to bring it in line with the current search, just use the timewrap command, which does that for you

Re: How to add dynamic timewrap to dashboard?

SShalaka — Mon, 25 Jul 2022 19:46:14 GMT

Hello @bowesmana thanks so much for taking the time to reply to my message, I am grateful. I have been messing around with the code but keep getting stuck at one point. I took your advice and created a global search, but since this base search needs to run based off a user input, it does not seem to work for me.

When I put this search below the fieldset, it just automatically jumps to the top when I save the dashboard, and hence does not have access to the input values from the user. Is there something obvious I am missing or is there a solution for this?

Re: How to add dynamic timewrap to dashboard?

bowesmana — Mon, 25 Jul 2022 22:56:03 GMT

The order in the XML file is not significant, i.e. the global <search> would normally be at the top of the XML anyway.

If your fieldset input has a token input_time then this will be available to the search - do you have 'search when changed' on the input?

To diagnose tokens, you can create a simple HTML panel that shows the token values, e.g.

<row> <panel> <html> <h1>earliest=$earliest$</h1> <h1>latest=$latest$</h1> <h1>timewrap_earliest=$timewrap_earliest$</h1> <h1>timewrap_latest=$timewrap_latest$</h1> <h1>input_time.earliest=$input_time.earliest$</h1> <h1>input_time.latest=$input_time.latest$</h1> </html> </panel> </row>

this should show you what is going on as you change the time picker setting

Re: How to add dynamic timewrap to dashboard?

SShalaka — Tue, 26 Jul 2022 15:31:29 GMT

Hi @bowesmana, I have "search when changed" set to false. Does this matter? I tried out the html panel and this is the result I get:

and this is the source:

Not sure where I am messing up; think I am missing something small..

Re: How to add dynamic timewrap to dashboard?

bowesmana — Tue, 26 Jul 2022 23:46:37 GMT

The initial setting of earliest and latest needs to quote the tokens on the right hand side.

Here's an example, where I have put the search inside a panel, so you can see what's going on - you will see that unless you quote the latest=$input_time.latest$, you will get an error in the eval statement

See this example

<form> <label>Time</label> <fieldset submitButton="true" autoRun="false"> <input type="time" token="input_time"> <label>Incident</label> <default> <earliest>-60m@m</earliest> <latest>now</latest> </default> </input> <input type="text" token="dynamic_time"> <label>Dynamic</label> <initialValue>1d</initialValue> </input> </fieldset> <row> <panel> <table> <search> <done> <set token="earliest">$result.earliest$</set> <set token="latest">$result.latest$</set> <set token="timewrap_earliest">$result.timewrap_earliest$</set> <set token="timewrap_latest">$result.timewrap_latest$</set> </done> <query>| makeresults | eval earliest="$input_time.earliest$" | eval latest="$input_time.latest$" | eval length=len("$input_time.earliest$") | eval earliest_unix=if(length>10, "$input_time.earliest$", relative_time(now(), "$input_time.earliest$")) | eval latest_unix=if(length>10, "$input_time.latest$", if("$input_time.latest$"=="now", relative_time(now(), "-0d"), relative_time(now(), "$input_time.latest$"))) | eval timewrap_earliest=case("$dynamic_time$"=="1d", earliest_unix-86400, "$dynamic_time$"=="1w", earliest_unix-604800) | eval timewrap_latest=case("$dynamic_time$"=="1d", latest_unix-86400, "$dynamic_time$"=="1w", latest_unix-604800) ``` For display only ``` | eval eu=strftime(earliest_unix, "%F %T") | eval lu=strftime(latest_unix, "%F %T") | eval twe=strftime(timewrap_earliest, "%F %T") | eval twl=strftime(timewrap_latest, "%F %T") | table _time earliest latest earliest_unix latest_unix timewrap_earliest timewrap_latest eu lu twe twl</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="refresh.display">progressbar</option> </table> <html> <h1>earliest=$earliest$</h1> <h1>latest=$latest$</h1> <h1>timewrap_earliest=$timewrap_earliest$</h1> <h1>timewrap_latest=$timewrap_latest$</h1> <h1>input_time.earliest=$input_time.earliest$</h1> <h1>input_time.latest=$input_time.latest$</h1> </html> </panel> </row> </form>

Re: How to add dynamic timewrap to dashboard?

SShalaka — Wed, 27 Jul 2022 22:53:49 GMT

Hi @bowesmana yes I see where I was wrong. It works perfectly now, thanks so much 😊