All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to display earliest and latest dates of searches in a dashboard and PDF report?

joonradley
Path Finder
‎09-04-2014 07:07 AM

Hi,

How do you display the earliest and latest dates of the searches in a dashboard that is later rendered into a PDF report?

This report gets mailed out once a week and with no earliest and latest dates it is pretty tough to keep track of them.

Thank you

Joon

Reply

gabriel_vasseur
Contributor
‎07-13-2016 07:26 AM

If, like me, you don't want that information into a table but want to display it in some HTML or in the title of panels, edit the xml and locate the ... block. Witin it add a "done" clause like in this example:

<search>
  <query> ... </query>
  <earliest> ... </earliest>
  <latest> ... </latest>
  <done>
    <eval token="earliest_token"> stftime( relative_time( now(), $job.request.earliest_time$ ),  "%c" ) </eval>
    <eval token="latest_token"> stftime( relative_time( now(), $job.request.latest_time$ ),  "%c" ) </eval>
  </done>
</search>

Then you can do things like:

<row>
  <panel>
    <html>
      <p>Showing data from $earliest_token$ to $latest_token$.</p>
    </html>
  </panel>
</row>

There is many ways this can be tweaked to your preference, starting with the format you give to strftime. This example assumes that the earliest/latest are relative times such as "-7d@d" etc. You'll need to update the eval if they are epoch timestamps for instance.

Also, I'm using this with a base search at the top of the dashboard (outside any panel). If you're trying this with a search within a panel, I'm not a 100% sure the tokens will be available everywhere in the dashboard.

One slight annoyance with this solution is that the earliest/latest tokens are not populated until the search is done, but I haven't found how to avoid that. Works for me anyway.

Reply

gabriel_vasseur
Contributor
‎07-13-2016 08:15 AM

Unfortunately, that works for the dashboard but not for the scheduled PDF 😞

0 Karma
Reply

musskopf
Builder
‎09-04-2014 05:13 PM

you could add a table showing the min and max _time, like that:

index=main | stats min(_time) AS startDate, max(_time) AS endDate | convert timeformat="%F %T" ctime(*Date)

Just add it as another element to the Dashboard in a table format.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...