All Apps and Add-ons
Highlighted

How to display earliest and latest dates of searches in a dashboard and PDF report?

Path Finder

Hi,

How do you display the earliest and latest dates of the searches in a dashboard that is later rendered into a PDF report?

This report gets mailed out once a week and with no earliest and latest dates it is pretty tough to keep track of them.

Thank you

Joon

Highlighted

Re: How to display earliest and latest dates of searches in a dashboard and PDF report?

Builder

you could add a table showing the min and max _time, like that:

index=main | stats min(_time) AS startDate, max(_time) AS endDate | convert timeformat="%F %T" ctime(*Date)

Just add it as another element to the Dashboard in a table format.

0 Karma
Highlighted

Re: How to display earliest and latest dates of searches in a dashboard and PDF report?

Contributor

If, like me, you don't want that information into a table but want to display it in some HTML or in the title of panels, edit the xml and locate the ... block. Witin it add a "done" clause like in this example:

<search>
  <query> ... </query>
  <earliest> ... </earliest>
  <latest> ... </latest>
  <done>
    <eval token="earliest_token"> stftime( relative_time( now(), $job.request.earliest_time$ ),  "%c" ) </eval>
    <eval token="latest_token"> stftime( relative_time( now(), $job.request.latest_time$ ),  "%c" ) </eval>
  </done>
</search>

Then you can do things like:

<row>
  <panel>
    <html>
      <p>Showing data from $earliest_token$ to $latest_token$.</p>
    </html>
  </panel>
</row>

There is many ways this can be tweaked to your preference, starting with the format you give to strftime. This example assumes that the earliest/latest are relative times such as "-7d@d" etc. You'll need to update the eval if they are epoch timestamps for instance.

Also, I'm using this with a base search at the top of the dashboard (outside any panel). If you're trying this with a search within a panel, I'm not a 100% sure the tokens will be available everywhere in the dashboard.

One slight annoyance with this solution is that the earliest/latest tokens are not populated until the search is done, but I haven't found how to avoid that. Works for me anyway.

Highlighted

Re: How to display earliest and latest dates of searches in a dashboard and PDF report?

Contributor

Unfortunately, that works for the dashboard but not for the scheduled PDF 😞

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.