Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can I create a variable based on absolute vs relative time picker?

bvan
Explorer
‎02-02-2021 11:53 AM

I have a dashboard panel where I'm trying to show how many users are experiencing a specific Event for the first time in the last x days. Right now I have the the search syntax set up where it will look at the last x days and will only show users who have NOT experienced that same event in the last 5 months. This works with relative time frames (in last 7 days) but doesn't work with absolute time frames with epoch values (Since 1/20/21 until now). Is there a way to modify the search so that it works with both types of time available from the time picker? Can I set a variable depending on the type of time selected from a time_picker input?

For example, can I set a variable where if the input time_picker is "x days ago" it inserts the following into the search: | eval DAYSAGO=relative_time(now(),"-6d@d") 

but if the input time_picker is "Since 1/27/2021 until now" it inserts this:
| eval DAYSAGO=1611705600

 

index="index_summary"
| stats earliest(EventTime) AS Earliest_TimeStamp, earliest(orig_time) AS Earliest_TimeStampEpoch, count(eval(EventId="148" OR EventId="170")) AS "Device Enrollments" by EnrollmentEmailAddress, DeviceFriendlyName, Platform
| where 'Device Enrollments' < 6
| sort - "Device Enrollments" 
| eval DAYSAGO=relative_time(now(),"-6d@d") 
| where DAYSAGO < Earliest_TimeStampEpoch
| stats count sum(EnrollmentEmailAddress) as "Users"

 

 

Labels (3)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-02-2021 03:39 PM

@bvan 

Have you tried using 

| addinfo

in your search, as that will give you some new fields in the data 

https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Addinfo

info_min_time + info_max_time

which will give you a 'translation' of your time picker into epoch times regardless of what form of time you set in the picker.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...