Dashboards & Visualizations
Highlighted

Can we multiply a time value chosen from a drop-down with some number and run a search using that product as earliest time?

Communicator

Hi,

I have an app with a time drop-down.
I want to use earliest time as double the earliest time selected by the user.
If a user selects 6 minute ago, the search should take 12 days ago as earliest time through the token.

I got it using $timevalue.earliest$$timevalue.earliest$ in earliest time in place of $timevalue.earliest$
[where $timevalue.earliest$ is token for time drop down.]

But the problem is when a user is selects particular dates for running the search. In that case, the epoch value is getting generated and my app is showing invalid earliest time.

Is there any way to solve this?

Thanks

0 Karma
Highlighted

Re: Can we multiply a time value chosen from a drop-down with some number and run a search using that product as earliest time?

Champion

You could use javascript and check whether $timevalue.earliest$ is a relative time specifier or an absolute epoch value.

0 Karma
Highlighted

Re: Can we multiply a time value chosen from a drop-down with some number and run a search using that product as earliest time?

Communicator

I want to double the time. if its epoch time how to double the duration?
I am not that much into javascript, can you please elaborate it.

0 Karma
Highlighted

Re: Can we multiply a time value chosen from a drop-down with some number and run a search using that product as earliest time?

Champion

See here on how to do fun things with tokens in js. You'll have to parse the relative time and change it, i.e. something like

var str = parseInt(earliest);
if (str) {
    earliest = earliest.replace(/\-\d+/,str*2);
}

for the simple "-1d@d" notation. To double an epoch the way I understand you want to do it, you'll have to do exactly as you said - double the duration. That means you need to calculate the relative time between earliest and latest and move earliest to double that relative time before latest. You can either do this by hand, i.e. with javascripts Date(), or you could lend yourself a helping hand from something like moment.js for that.

0 Karma
Highlighted

Re: Can we multiply a time value chosen from a drop-down with some number and run a search using that product as earliest time?

SplunkTrust
SplunkTrust

I get that if the timerange selected is "last sometimerange", you want to double it. What do you want to do if user selects a fixed date? Do you want to keep the Latest time constant and go double duration back as earliest?

0 Karma
Highlighted

Re: Can we multiply a time value chosen from a drop-down with some number and run a search using that product as earliest time?

Communicator

yes
In that case i want latest time to be constant and double the duration for earlier time.
like if its from 4th april to 6th april. i want latest time to be 6th april but earlier time to be 2nd april.

0 Karma
Highlighted

Re: Can we multiply a time value chosen from a drop-down with some number and run a search using that product as earliest time?

SplunkTrust
SplunkTrust

Try something like this

  1. Use the token to specify the timerange for the panel/visualization
  2. Add following as subsearch to your base search (to override the earliest and latest)

    your base search [| gentimes start=-1 | addinfo | eval earliest =infomaxtime - 2*(infomaxtime - infomintime) | eval latest=infomaxtime | table earliest latest | format ] | rest of the search

The timerange token, when specified as timerange for the panel, the addinfo will get the earliest (infomintime) and latest (infomaxtime) in epoch format. The calculation will double the duration/period and return new earliest/latest which will override the values from token.

0 Karma
Highlighted

Re: Can we multiply a time value chosen from a drop-down with some number and run a search using that product as earliest time?

Communicator

in my token $timedisplay.latest$ is latest time and $timedisplay.earliest$ is earliest time.
i modified my code like this. still its showing invalid earliest time. My output is single value so i don't need table
Is something wrong with my code?

    <query>$index_tok$ $sourcetype_tok$ $orig$  action="block"  [| gentimes start=-1 | addinfo | eval earliest =$time_display.latest$ - 2*($time_display.latest$ - $time_display.earliest$) | eval latest=$time_display.latest$ | format ] | remaining search</query>

    <earliest>earliest</earliest>
    <latest>latest</latest>
0 Karma