Dashboards & Visualizations

Can you help me with create a dashboard which compares 2 dates?

willadams
Contributor

I am trying to create a fairly static dashboard that shows a license day count down timer. I have the following CSV file with the following fields

Application Service, License Expiry Date

For example, the data looks like this (date,month, year)

ApplicationX, 31/12/2018
ApplicationY, 01/01/2019

What I am trying to do in SPLUNK is show a dashboard that looks like this:

ApplicationX | Number of Days to Expiry

The file is monitored for any changes.

This is the code I have written:

index="app_licensing"
| eval timenow=now()
| eval CurrentDate=strftime(now(),"%d-%m-%Y")
| eval Expiry=strptime("License Expiration Date", "%d-%m-%Y")
| eval "Expiry Time Left"=CurrentDate-Expiry
| table "Application Service", "Expiry Time Left"

OR

index="app_licensing"
| eval timenow=now()
| eval CurrentDate=strftime(now(),"%d-%m-%Y")
| eval Expiry=strptime("License Expiration Date", "%d-%m-%Y")
| eval "Expiry Time Left"=CurrentDate-Expiry
| stats count by "Application Service", "Expiry Time Left"

However, when this gets displayed, I do not see anything in the "Expiry Time Left" column or any data in the second stanza. Where have I gone wrong?

0 Karma
1 Solution

renjith_nair
Legend

@willadams,

Probably few things :

  1. Your date format should be "%d/%m/%Y" ("/" instead of "-" )as per your example 31/12/2018
  2. Use single quote (') instead of (") in the variable name.
  3. You dont need to convert now() to strftime format since the calculation should be done in epoch format

So the difference is given in seconds and then you can convert to format you need (hours/days/months etc)
Please verify the variable name also. In the example it is 'License Expiry Date' and in search it is 'License Expiration Date'

index="app_licensing"
|eval "Expiry Time Left"=round(abs((now()-strptime('License Expiration Date',"%d/%m/%Y")))/86400,0)
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma

renjith_nair
Legend

@willadams,

Probably few things :

  1. Your date format should be "%d/%m/%Y" ("/" instead of "-" )as per your example 31/12/2018
  2. Use single quote (') instead of (") in the variable name.
  3. You dont need to convert now() to strftime format since the calculation should be done in epoch format

So the difference is given in seconds and then you can convert to format you need (hours/days/months etc)
Please verify the variable name also. In the example it is 'License Expiry Date' and in search it is 'License Expiration Date'

index="app_licensing"
|eval "Expiry Time Left"=round(abs((now()-strptime('License Expiration Date',"%d/%m/%Y")))/86400,0)
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

willadams
Contributor

Thanks. I am not interested in seconds as this is simply number of days to Expiration. I will work out how to convert the number of seconds to just be days in total. For example the dashboard will simply read

Application X has 63 days left until the license is expired
Application Y has 64 days left until the license is expired

Of course the above will just be numbers and I will use number values depending on the values.

Regarding the variable name it is "License Expiry Date"

0 Karma

renjith_nair
Legend

@willadams, what I meant is - by default it gives in second but in the above case, I have already converted to days by dividing it by 86400. So output of above search is in days. Let me know if you need any further assistance , otherwise accept it as answer/upvote. thanks

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...