Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Creating predefined timerange for service period

ismarslomic
Path Finder
‎01-07-2017 12:56 AM

Is it possible to define named (relative) time ranges (with use of macros or other teqniques) for service hours (07:00-18:00 monday-friday) and calculation period (first day in a month to last in a month) so I can easily change between current and previous calculation periods in dashboards/panels/stat charts?

Scenario 1
Default should be to select current calculation period, which is from first day in this month (01.01.2016) to current date 07.01.2016, and only filter service hours.

Scenario 2
Then I can just pick previous month and year, let say December 2016 and filters on service hours for that month and year.

Disclamer!
Im quite new to Splunk, so please excuse any missusing of commom terms and techniques, and feel free to correct me!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎01-07-2017 03:46 PM

Following should be added to your base search 

<YourBaseSearch> AND (date_wday="monday" OR date_wday="tuesday" OR date_wday="wednesday" OR date_wday="thursday" OR date_wday="friday") AND (date_hour>=7 AND date_hour<=18)

You can also do the following, however, for search query performance inclusion is better than exclusion

<YourBaseSearch> AND (date_wday!="saturday" AND date_wday!="sunday") AND (date_hour>=7 AND date_hour<=18)

Since this is added to your base search you can save the same as eventtype like <your_index_sourcetype&gt_working_hour. You can similarly create a non_working_hour eventtype with reverse search filter.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎01-07-2017 03:46 PM

Following should be added to your base search 

<YourBaseSearch> AND (date_wday="monday" OR date_wday="tuesday" OR date_wday="wednesday" OR date_wday="thursday" OR date_wday="friday") AND (date_hour>=7 AND date_hour<=18)

You can also do the following, however, for search query performance inclusion is better than exclusion

<YourBaseSearch> AND (date_wday!="saturday" AND date_wday!="sunday") AND (date_hour>=7 AND date_hour<=18)

Since this is added to your base search you can save the same as eventtype like <your_index_sourcetype&gt_working_hour. You can similarly create a non_working_hour eventtype with reverse search filter.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

ismarslomic
Path Finder
‎01-08-2017 01:14 AM

Thanks, @niketnilay!
But I will reuse exactly this time range filter in different search combinations. Would it be possible to extend the "Presets" list of Time range dropdown list so I can just apply this filter on different search combinations?

0 Karma
Reply
Solved! Jump to solution

ismarslomic
Path Finder
‎01-08-2017 04:36 AM

Important information about date_* (default datetime fields) is that only events which contains timestamp, generated from their systems, will get these default fields. See more at https://docs.splunk.com/Documentation/Splunk/6.5.1/Knowledge/Usedefaultfields

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎01-08-2017 04:39 AM

When you use it in the dropdown value, it will not evaluate as a search... It will just remain as a string. Where ever you run the query that is where you will append the string $selectedTimeWindow$

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎01-08-2017 04:50 AM

Following is what your Dropdown may look like

  <fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="selTimeWindow" searchWhenChanged="true">
      <label>Select Time Window</label>
      <choice value="(date_wday=&quot;monday&quot; OR date_wday=&quot;tuesday&quot; OR date_wday=&quot;wednesday&quot; OR date_wday=&quot;thursday&quot; OR date_wday=&quot;friday&quot;) AND (date_hour&gt;=7 AND date_hour&lt;=18)">Weekday Business Hours</choice>
      <choice value="(date_wday=&quot;saturday&quot; OR date_wday=&quot;sunday&quot;) AND (date_hour&gt;=7 AND date_hour&lt;=18)">Weekend Business Hours</choice>
      <choice value="(date_wday=&quot;monday&quot; OR date_wday=&quot;tuesday&quot; OR date_wday=&quot;wednesday&quot; OR date_wday=&quot;thursday&quot; OR date_wday=&quot;friday&quot;) AND (date_hour&lt;7 AND date_hour&gt;18)">Weekday Non Business Hours</choice>
      <choice value="(date_wday=&quot;saturday&quot; OR date_wday=&quot;sunday&quot;) AND  (date_hour&lt;7 AND date_hour&gt;18)">Weekend Non Business Hours</choice>
      <default>(date_wday="monday" OR date_wday="tuesday" OR date_wday="wednesday" OR date_wday="thursday" OR date_wday="friday") AND (date_hour&gt;=7 AND date_hour&lt;=18)</default>
      <initialValue>(date_wday="monday" OR date_wday="tuesday" OR date_wday="wednesday" OR date_wday="thursday" OR date_wday="friday") AND (date_hour&gt;=7 AND date_hour&lt;=18)</initialValue>
    </input>
  </fieldset>

You can then feed the value selected in Drop Down to your search:

    <search>
      <query>index=_internal sourcetype=splunkd AND $selTimeWindow$

| stats count by group

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎01-08-2017 04:34 AM

Yes You can define a Dropdown with two static options or Labels i.e. Businees Hours and Non-Business Hours and Values will be the two queries as string. You can finally append to searches.

If Drop Down name is selectedTimeWindow then your query will change to 

  <Your Base Search> $selectedTimeWindow$ |

Also instead of Eventtype you can define macros with the part of search query above and append to your own base search where ever required (also via Dropdown).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...