Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Changing _time to a new field in dashboard

waeleljarrah
Explorer
‎04-16-2020 02:00 PM

I have a new field called new_time, and I need to add a time picker on the dashboard but have it use the new_time values. Can someone please suggest a solution?

| eval new_time = strptime(old_sec,"%m/%d/%Y %H:%M")
| fieldformat new_time=strftime(new_time,"%m/%d %H:%M")
|eval _time=new_time
| xyseries _time, Name, Values

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

waeleljarrah
Explorer
‎04-21-2020 07:56 AM 
<form theme="light">
  <label>Inquiries to Office &amp; Office Locations</label>
  <fieldset submitButton="true">
    <input type="multiselect" token="office">
      <label>State</label>
      <delimiter> OR </delimiter>
      <fieldForLabel>Office</fieldForLabel>
      <fieldForValue>Office</fieldForValue>
      <valuePrefix>Office="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <search>
        <query>index=analyzespace sourcetype=analyzespace.u12.WR119.raw
| eval Office=ltrim(state)
| dedup Office | sort +Office</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
    <input type="dropdown" token="earliest_time">
      <label>Initial Time</label>
      <fieldForLabel>time</fieldForLabel>
      <fieldForValue>Early_time</fieldForValue>
      <search>
        <query>index=analyzespace sourcetype=analyzespace.u12.WR119.raw
| eval Early_time = strptime(time,"%m/%d/%Y %H:%M")

| dedup Early_time
| sort +Early_time</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
    </input>
    <input type="dropdown" token="latest_time">
      <label>Final Time</label>
      <fieldForLabel>time</fieldForLabel>
      <fieldForValue>Late_time</fieldForValue>
      <search>
        <query>index=analyzespace sourcetype=analyzespace.u12.WR119.raw
| eval Late_time = strptime(time,"%m/%d/%Y %H:%M")

| dedup Late_time
| sort +Late_time</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Inquiries</title>
      <chart>
        <title>Inquiries vs Time</title>
        <search>
          <query>index=analyzespace sourcetype=analyzespace.u12.WR119.raw
| eval Office=ltrim(state) | search $office$
| eval Total_inquiries=ltrim(sumofinquiries)
| eval new_time = strptime(time,"%m/%d/%Y %H:%M")
| eval Time=new_time
| where new_time>=$earliest_time$ AND new_time<=$latest_time$
| fieldformat Time=strftime(Time, "%m/%d %H:%M")
| xyseries Time, Office, Total_inquiries</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
        <option name="charting.axisLabelsX.majorLabelVisibility">show</option>
        <option name="charting.axisTitleX.text">Date &amp; Hour</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.text">Attempts</option>
        <option name="charting.axisY.abbreviation">auto</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.nullValueMode">zero</option>
        <option name="charting.chart.showDataLabels">minmax</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">top</option>
        <option name="height">357</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

waeleljarrah
Explorer
‎04-21-2020 07:56 AM 
<form theme="light">
  <label>Inquiries to Office &amp; Office Locations</label>
  <fieldset submitButton="true">
    <input type="multiselect" token="office">
      <label>State</label>
      <delimiter> OR </delimiter>
      <fieldForLabel>Office</fieldForLabel>
      <fieldForValue>Office</fieldForValue>
      <valuePrefix>Office="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <search>
        <query>index=analyzespace sourcetype=analyzespace.u12.WR119.raw
| eval Office=ltrim(state)
| dedup Office | sort +Office</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
    <input type="dropdown" token="earliest_time">
      <label>Initial Time</label>
      <fieldForLabel>time</fieldForLabel>
      <fieldForValue>Early_time</fieldForValue>
      <search>
        <query>index=analyzespace sourcetype=analyzespace.u12.WR119.raw
| eval Early_time = strptime(time,"%m/%d/%Y %H:%M")

| dedup Early_time
| sort +Early_time</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
    </input>
    <input type="dropdown" token="latest_time">
      <label>Final Time</label>
      <fieldForLabel>time</fieldForLabel>
      <fieldForValue>Late_time</fieldForValue>
      <search>
        <query>index=analyzespace sourcetype=analyzespace.u12.WR119.raw
| eval Late_time = strptime(time,"%m/%d/%Y %H:%M")

| dedup Late_time
| sort +Late_time</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Inquiries</title>
      <chart>
        <title>Inquiries vs Time</title>
        <search>
          <query>index=analyzespace sourcetype=analyzespace.u12.WR119.raw
| eval Office=ltrim(state) | search $office$
| eval Total_inquiries=ltrim(sumofinquiries)
| eval new_time = strptime(time,"%m/%d/%Y %H:%M")
| eval Time=new_time
| where new_time>=$earliest_time$ AND new_time<=$latest_time$
| fieldformat Time=strftime(Time, "%m/%d %H:%M")
| xyseries Time, Office, Total_inquiries</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
        <option name="charting.axisLabelsX.majorLabelVisibility">show</option>
        <option name="charting.axisTitleX.text">Date &amp; Hour</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.text">Attempts</option>
        <option name="charting.axisY.abbreviation">auto</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.nullValueMode">zero</option>
        <option name="charting.chart.showDataLabels">minmax</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">top</option>
        <option name="height">357</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>
0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-17-2020 01:51 PM 
<form>
  <label>New time picker</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="new_time">
      <label>new_time</label>
      <fieldForLabel>label_text</fieldForLabel>
      <fieldForValue>query_text</fieldForValue>
      <search>
        <query>|makeresults
| eval label_text="earliest=04/06/2020:00:00:00 latest=04/14/2020:23:00:00"
| eval query_text="earliest=\"04/06/2020:00:00:00\" latest=\"04/14/2020:23:00:00\""</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <initialValue>earliest="04/06/2020:00:00:00" latest="04/14/2020:23:00:00"</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal $new_time$ splunkd</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-16-2020 02:59 PM

Are your going to make earliest and latest and send these next panel?

0 Karma
Reply
Solved! Jump to solution

waeleljarrah
Explorer
‎04-20-2020 02:42 PM

Hi, thanks for the hint and advice. I now have the SPL working if I use Epoch time per code below. I still need to format the Early_time and Late_time in human readable form for the dropdown selection but without altering the original value in Epoch for Early_time and Late_time. Any hints would be appreciated.

<form theme="light">
  <label>Inquiries to Office &amp; Office Locations</label>
  <fieldset submitButton="true">
    <input type="multiselect" token="office">
      <label>State</label>
      <delimiter> OR </delimiter>
      <fieldForLabel>Office</fieldForLabel>
      <fieldForValue>Office</fieldForValue>
      <valuePrefix>Office="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <search>
        <query>index=analyzespace sourcetype=analyzespace.u12.WR119.raw
| eval Office=ltrim(state)
| dedup Office | sort +Office</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
    <input type="dropdown" token="earliest_time">
      <label>Initial Time</label>
      <fieldForLabel>Early_time</fieldForLabel>
      <fieldForValue>Early_time</fieldForValue>
      <search>
        <query>index=analyzespace sourcetype=analyzespace.u12.WR119.raw
| eval Early_time = strptime(time,"%m/%d/%Y %H:%M")
| Table Early_time
| dedup Early_time
| sort +Early_time</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
    </input>
    <input type="dropdown" token="latest_time">
      <label>Final Time</label>
      <fieldForLabel>Late_time</fieldForLabel>
      <fieldForValue>Late_time</fieldForValue>
      <search>
        <query>index=analyzespace sourcetype=analyzespace.u12.WR119.raw
| eval Late_time = strptime(time,"%m/%d/%Y %H:%M")
| Table Late_time
| dedup Late_time
| sort +Late_time</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Inquiries</title>
      <chart>
        <title>Inquiries vs Time</title>
        <search>
          <query>index=analyzespace sourcetype=analyzespace.u12.WR119.raw
| eval Office=ltrim(state) | search $office$
| eval Total_inquiries=ltrim(sumofinquiries)
| eval new_time = strptime(time,"%m/%d/%Y %H:%M")
| eval new_tyme=new_time
| where new_time&gt;=$earliest_time$ AND new_time&lt;=$latest_time$
| xyseries new_tyme, Office, Total_inquiries</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
        <option name="charting.axisLabelsX.majorLabelVisibility">show</option>
        <option name="charting.axisTitleX.text">Date &amp; Hour</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.text">Attempts</option>
        <option name="charting.axisY.abbreviation">auto</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.nullValueMode">zero</option>
        <option name="charting.chart.showDataLabels">minmax</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">top</option>
        <option name="height">357</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>
0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-21-2020 02:43 AM

How about <fieldForLabel> is time?

0 Karma
Reply
Solved! Jump to solution

waeleljarrah
Explorer
‎04-21-2020 07:36 AM

Thank you! it works

0 Karma
Reply
Solved! Jump to solution

waeleljarrah
Explorer
‎04-17-2020 09:24 AM

sorry, this is not indexed time. It is completely arbitrary field that is formatted as a historical time column (called new_time) independent of the time the events were loaded into splunk.
I was thinking maybe doing a multiselect input but unsure how to make it look like a time picker.
Basically this new_time is hourly values earliest=04/06/2020:00:00:00 latest=04/14/2020:23:00:00.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...