Dashboards & Visualizations

Can't get Eval statements in dashboard to use correct values.

kcepull2
Path Finder

This has been beating me up way longer than it should, and I'm sure I'm doing something stupidly obviously wrong, but am just not seeing it. 🙂

Below is the source for a test dashboard. On it, there are 2 input fields. The first is a time picker, where the user can pick a time range (e.g. last 15 minutes, yesterday). This defines "range 1". The second is an input field where the user can specify the number of days to offset range 2 from range 1. So, for example, if the user picks "yesterday" from the time picker, and "7" days for the offset, then range 1 should be 4/13/2017 00:00:00 - 4/13/2017 23:59:59 (assuming today is 4/14/2017), and range 2 should be 4/6/2017 00:00:00 - 4/6/2017 23:59:59.

Likewise, if it is currently 4/14/2017 at 9:00am, then picking "last 15 minutes" and "2 days" should result in range 1 being 4/14/2017 8:45:00 - 4/14/2017 9:00:00 (now), and range 2 should then be 2 days prior: 4/12/2017 8:45:00 - 4/12/2017 9:00:00.

However, this isn't working. 🙂

When changing either value, the block of text below it is updated, but it appears that it is using 'old' values. For example, the default when the dashboard is opened is "last 4 hours" and "7 days". If you change the time picker to "last 60 minutes", the values are recalculated, but using "last 4 hours". If you then change the offset to 2 days, the values are recalculated (notice the minutes change to reflect a new 'now'), but the offset is still 7 days.

This is driving me nuts, and no one so far has been able to explain why it is doing this, or how to get it to work the way I'd like. Again, I'm sure it is something obvious that I'm just not seeing. Any help would be appreciated!!!

Here's the code. Just create a new dashboard, edit the source, replace it with the below, save it, then play around and you should see the problem. 🙂

Thanks,
Karl


<form>
  <init></init>
  <label>Range Calculation Test</label>
  <fieldset autoRun="true" submitButton="true">
    <input type="time" token="time_range" searchWhenChanged="false">
      <label>Range 1</label>
      <default>
        <earliest>-4h@m</earliest>
        <latest>now</latest>
      </default>
      <change>
        <eval token="start1_epoch">if(isnum($time_range.earliest$), $time_range.earliest$, relative_time(now(), $time_range.earliest$))</eval>
        <eval token="end1_epoch">if(isnum($time_range.latest$), $time_range.latest$, relative_time(now(), $time_range.latest$))</eval>
        <eval token="start2_epoch">relative_time($start1_epoch$, $offset$)</eval>
        <eval token="end2_epoch">relative_time($end1_epoch$, $offset$)</eval>
        <eval token="start1_str">strftime($start1_epoch$, "%c")</eval>
        <eval token="end1_str">strftime($end1_epoch$, "%c")</eval>
        <eval token="start2_str">strftime($start2_epoch$, "%c")</eval>
        <eval token="end2_str">strftime($end2_epoch$, "%c")</eval>
        <eval token="earliest1">strftime($start1_epoch$, "%m/%d/%Y:%T")</eval>
        <eval token="latest1">strftime($end1_epoch$, "%m/%d/%Y:%T")</eval>
        <eval token="earliest2">strftime($start2_epoch$, "%m/%d/%Y:%T")</eval>
        <eval token="latest2">strftime($end2_epoch$, "%m/%d/%Y:%T")</eval>
      </change>
    </input>
    <input type="text" token="offset" searchWhenChanged="false">
      <label>Offset for range 2 (days prior)</label>
      <initialValue>7</initialValue>
      <default>7</default>
      <prefix>-</prefix>
      <suffix>d</suffix>
      <change>
        <eval token="start1_epoch">if(isnum($time_range.earliest$), $time_range.earliest$, relative_time(now(), $time_range.earliest$))</eval>
        <eval token="end1_epoch">if(isnum($time_range.latest$), $time_range.latest$, relative_time(now(), $time_range.latest$))</eval>
        <eval token="start2_epoch">relative_time($start1_epoch$, $offset$)</eval>
        <eval token="end2_epoch">relative_time($end1_epoch$, $offset$)</eval>
        <eval token="start1_str">strftime($start1_epoch$, "%c")</eval>
        <eval token="end1_str">strftime($end1_epoch$, "%c")</eval>
        <eval token="start2_str">strftime($start2_epoch$, "%c")</eval>
        <eval token="end2_str">strftime($end2_epoch$, "%c")</eval>
        <eval token="earliest1">strftime($start1_epoch$, "%m/%d/%Y:%T")</eval>
        <eval token="latest1">strftime($end1_epoch$, "%m/%d/%Y:%T")</eval>
        <eval token="earliest2">strftime($start2_epoch$, "%m/%d/%Y:%T")</eval>
        <eval token="latest2">strftime($end2_epoch$, "%m/%d/%Y:%T")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <b>Input fields:</b>&lt;br/&gt;
      time_range.earliest = $time_range.earliest$ &lt;br/&gt;
      time_range.latest = $time_range.latest$ &lt;br/&gt;
      offset = $offset$ &lt;br/&gt;
      &lt;br/&gt;
      <b>Range 1:</b>&lt;br/&gt;
      start1_epoch = $start1_epoch$ &lt;br/&gt;
      end1_epoch = $end1_epoch$ &lt;br/&gt;
      start1_str = $start1_str$ &lt;br/&gt;
      end1_str = $end1_str$ &lt;br/&gt;
      earliest1 = $earliest1$ &lt;br/&gt;
      latest1 = $latest1$ &lt;br/&gt;
      &lt;br/&gt;
      <b>Range2:</b>&lt;br/&gt;
      start2_epoch = $start2_epoch$ &lt;br/&gt;
      end2_epoch = $end2_epoch$ &lt;br/&gt;
      start2_str = $start2_str$ &lt;br/&gt;
      end2_str = $end2_str$ &lt;br/&gt;
      earliest2 = $earliest2$ &lt;br/&gt;
      latest2 = $latest2$ &lt;br/&gt;
      </html>
    </panel>
  </row>
</form>
1 Solution

somesoni2
SplunkTrust
SplunkTrust

I've seen that the setting of a token using time input is one step slower (always shows previous values in change event). I'm guessing your ultimate goal is not to display the range in html panel but run some searches. If that's the case, it can easily be achieved using another search element with usage of addinfo command to manipulate time range values. Like this

<search>
           <query>| gentimes start=-1 | addinfo | eval start2_epoch=relative_time(info_min_time,"-".$offset$."d") | eval end2_epoch=relative_time(info_max_time,"-".$offset$."d") | table start2_epoch end2_epoch </query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
           <done>
             <set token="start2_epoch">$result.start2_epoch$</set>
             <set token="end2_epoch">$result.end2_epoch$</set>
           </done>           
  </search>

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

I've seen that the setting of a token using time input is one step slower (always shows previous values in change event). I'm guessing your ultimate goal is not to display the range in html panel but run some searches. If that's the case, it can easily be achieved using another search element with usage of addinfo command to manipulate time range values. Like this

<search>
           <query>| gentimes start=-1 | addinfo | eval start2_epoch=relative_time(info_min_time,"-".$offset$."d") | eval end2_epoch=relative_time(info_max_time,"-".$offset$."d") | table start2_epoch end2_epoch </query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
           <done>
             <set token="start2_epoch">$result.start2_epoch$</set>
             <set token="end2_epoch">$result.end2_epoch$</set>
           </done>           
  </search>

kcepull2
Path Finder

How do I mark this as answered? I don't see that option anywhere? I'd like to give credit...

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

You accept any particular answer - whichever one helped you the most. You can also upvote any that answers that helped you significantly or that you found valuable, whether or not they actually solved your original question.

Ah, there weren't any answers. Heh. Moving somesoni2's comment to answer so you can accept it.

0 Karma

kcepull2
Path Finder

Thanks, DalJeanis.

The problem is there aren't any options on the screen to "accept" anyone's answers! Where should that option be? I only see the up/downvote options on my main question, too, not on anyone's replies. Not sure if I'm just not looking in the right place, but I don't seem to see it. ..

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Comments... for me, on Chrome, the upvote appears to the right of the name on each comment when I hover near the place it says "2 minutes ago"

"Accept answer" is one of the options near the place you can comment on an answer.

0 Karma

kcepull2
Path Finder

OK. that is weird. I just got an email that an ANSWER had been posted, and now, I can up/down vote it, and accept it. Perhaps those options weren't there at first because they were comments, not answers? (I'm new to this, so still learning...)

0 Karma

kcepull2
Path Finder

Thanks, guys!!! I got this to work based on your suggestions. Here's what I ended up with:

Range Calculation Test

<input type="time" token="time_range" searchWhenChanged="false">
  <label>Range 1</label>
  <default>
    <earliest>-4h@m</earliest>
    <latest>now</latest>
  </default>
</input>
<input type="text" token="offset" searchWhenChanged="false">
  <label>Offset for range 2 (days prior)</label>
  <initialValue>7</initialValue>
  <default>7</default>
  <prefix>-</prefix>
  <suffix>d</suffix>
</input>


<panel>
  <table>
    <search>
      <query>| makeresults | addinfo 
      | eval start2_epoch = relative_time(info_min_time, $offset|s$)
      | eval end2_epoch = relative_time(info_max_time, $offset|s$)
      | eval start2_str = strftime(start2_epoch, "%c")
      | eval earliest2 = strftime(start2_epoch, "%m/%d/%Y:%H:%M:%S")
      | eval end2_str = strftime(end2_epoch, "%c")
      | eval latest2 = strftime(end2_epoch, "%m/%d/%Y:%H:%M:%S")
      | eval start1_str = strftime(info_min_time, "%c")
      | eval end1_str = strftime(info_max_time, "%c")
      </query>
      <earliest>$time_range.earliest$</earliest>
      <latest>$time_range.latest$</latest>
      <done>
        <set token="start1_str">$result.start1_str$</set>
        <set token="end1_str">$result.end1_str$</set>
        <set token="start2_str">$result.start2_str$</set>
        <set token="end2_str">$result.end2_str$</set>
        <set token="earliest1">$result.info_min_time$</set>
        <set token="latest1">$result.info_max_time$</set>
        <set token="earliest2">$result.earliest2$</set>
        <set token="latest2">$result.latest2$</set>
      </done>
    </search>

....

0 Karma

niketn
Legend

@kcepull...

Dropdown control has $value$ or $label$ tokens that are available with the latest selected value and label in the change event. However, Time control does not expose something similar to be used instantly. Since you are using $time_range.earliest$ and $time_range.latest$, they will be available only after the value has already changed (or posted).

Time picker input does not see to enable tokens like $earliest$ $latest$ etc. So you will have to rely on worarounds. Most apt is the one with addinfo as suggested by Somesh. Here is another approach of running a dummy search just to capture earliest and latest time through $job.earliestTime$ and $job.latestTime$

   <label>Range Calculation Test</label>
   <fieldset autoRun="true" submitButton="true">
     <input type="time" token="time_range" searchWhenChanged="false">
       <label>Range 1</label>
       <default>
         <earliest>-4h@m</earliest>
         <latest>now</latest>
       </default>
   </fieldset>
   <search>
     <query>|makeresults
     </query>
      <earliest>$time_range.earliest$</earliest>
      <latest>$time_range.latest$</latest>
     <done>
          <eval token="start1_epoch">strptime($job.earliestTime$,"%Y/%m/%d %H:%M:%S")</eval>
          <eval token="end1_epoch">strptime($job.latestTime$,"%Y/%m/%d %H:%M:%S")</eval>
     </done>
    </search>

PS: I could not use start1_epoch and end1_epoch with relative_time within eval that way you have mentioned, however, the same works in Search.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Another note to @niketnilay and @kcepull2,
You can use the time picker's token to access the earliest/latest selected values, as posted in the original question.

For example, in the following token, I could use $field1.earliest$ and $field1.latest$ to get the earliest and latest time values.

  <input type="time" token="field1" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>

Hope this helps!

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

@kcepull2, @niketnilay
FWIW, if you are seeing differences between search + dashboard eval behavior, the "eval" search command uses a different regex engine than the dashboard token "eval" command (this one uses Javascript regex engine).

This is noted in our docs, (see http://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/tokens#Define_token_filtering_and_formatting) but it is a subtle difference.

If needed, you can use a regex tester online to help with formulating the statement.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...