- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Adding date range modifiers to dashboard input
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A am trying to add a contextual input field to my dashboard and I seem to be having a hard time translating it into something splunk understands. The idea is to be able to use a dropdown menu to select between 0, 30, 60, 90 days. At which point all subsequent dashboards will exclude logs that have VulnerabilityPublishedDate earlier than the selection. I originally though i would give the drop down a token say $datemodifier$ and then add the below logic to each of my dashboards query's. But this does not seem to work
In the dashboard i tried this.
| eval OffsetTime = strftime(relative_time(now(),"-$datemodifier$d@d"), "%Y-%m-%d")
This is my search
index=stuff sourcetype="stuff"
| eval Epoch_Time=strptime(VulnerabilityPublishedDate, "%Y-%m-%d")
| eval stripTime=strftime(Epoch_Time, "%Y-%m-%d")
| eval OffsetTime = strftime(relative_time(now(),"-30d@d"), "%Y-%m-%d")
| where stripTime <= OffsetTime
| table Epoch_Time stripTime VulnerabilityPublishedDate OffsetTime
Sample output from this search:
1583798400.000000 2020-03-10 2020-03-10 00:00:00.0 2020-03-25
1583798400.000000 2020-03-10 2020-03-10 00:00:00.0 2020-03-25
1583798400.000000 2020-03-10 2020-03-10 00:00:00.0 2020-03-25
1583798400.000000 2020-03-10 2020-03-10 00:00:00.0 2020-03-25
1583798400.000000 2020-03-10 2020-03-10 00:00:00.0 2020-03-25
1583798400.000000 2020-03-10 2020-03-10 00:00:00.0 2020-03-25
1583798400.000000 2020-03-10 2020-03-10 00:00:00.0 2020-03-25
1583798400.000000 2020-03-10 2020-03-10 00:00:00.0 2020-03-25
1583798400.000000 2020-03-10 2020-03-10 00:00:00.0 2020-03-25
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jlovik use this instead for the offset. Convert the date modifier into seconds and subtract that from the epoch time [now()]
| eval OffsetTime = strftime(now() - ($datemodifier$ * 86400), "%Y-%m-%d")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jlovik use this instead for the offset. Convert the date modifier into seconds and subtract that from the epoch time [now()]
| eval OffsetTime = strftime(now() - ($datemodifier$ * 86400), "%Y-%m-%d")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is exactly what i needed to get it all together. I edited it slightly in the final search for clarity. I also missed the tool tip telling me to use $ on both side of the variable in the dashboard which was one of my issues.
| eval Epoch_Time=strptime(VulnerabilityPublishedDate, "%Y-%m-%d")
| eval Addtime=strftime(Epoch_Time + (30 * 86400), "%Y-%m-%d")
| eval Now = strftime(now(), "%Y-%m-%d")
| where Addtime < Now
What's New in Splunk Cloud Platform 9.3.2411?
Buttercup Games: Further Dashboarding Techniques (Part 6)
Technical Workshop Series: Splunk Data Management and SPL2 | Register here!
