Dashboards & Visualizations

Panel to display n days before data based upon time picker selected

irvanramuk
New Member

Hi,

Am trying to have two panels with one showing the data corresponding to the range selected in time picker and the other panel showing data for the same time range but 7 days earlier. Have tried using eval to assign the 7d time range into tokens (after searching online).

    <input type="time" token="Time_Range" >
      <label>Time</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
      <change>
        <eval token="weekearliest">relative_time(relative_time(time(), "$earliest$"), "-7d")</eval>
        <eval token="weeklatest">relative_time(relative_time(time(), "$latest$"), "-7d")</eval>
      </change>
    </input>

Have added the tokens initialized weekearliest and weeklatest as token based search in another panel but it doesnt seems to work,

          <earliest>$weekearliest$</earliest>
          <latest>$weeklatest$</latest>

Can kindly provide pointers to check on how to implement them?

Tags (1)
0 Karma

maciep
Champion

Played with this on Splunk 7.1.x. I have always created a search, used addinfo to the earliest latest, manipulated them as needed and then created tokens to use elsewhere. But I like your approach too.

Anyway, I removed some quotes and added a check for the case when latest is now...because that didn't seem to work as a modifier in the relative_time() function. Also, you may need to account for the all time scenario too...

Here's a very simple dashboard that just shows the tokens in the title of an empty panel.

<form>
  <label>Timepicker Test</label>
  <fieldset>
    <input type="time" token="Time_Range" searchWhenChanged="true">
      <label>Time</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
      <change>
        <eval token="weekearliest">relative_time(relative_time(now(),$earliest$,-7d)</eval>
        <eval token="weeklatest">if($latest$="now",now(),relative_time(now(),$latest$)</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>$weekearliest$   $weeklatest$</title>
      <single>
        <search>
          <query/>
        </search>
      </single>
    </panel>
  </row>
</form>
0 Karma

Sukisen1981
Champion

your token is time_range, so your evals on change tags should look something like this relative_time(relative_time(time_range, "$earliest$"), "-7d")
<eval token="weeklatest">relative_time(relative_time(time_range, "$latest$"), "-7d")</eval>

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...