Dashboards & Visualizations

Creating predefined timerange for service period

Path Finder

Is it possible to define named (relative) time ranges (with use of macros or other teqniques) for service hours (07:00-18:00 monday-friday) and calculation period (first day in a month to last in a month) so I can easily change between current and previous calculation periods in dashboards/panels/stat charts?

Scenario 1
Default should be to select current calculation period, which is from first day in this month (01.01.2016) to current date 07.01.2016, and only filter service hours.

Scenario 2
Then I can just pick previous month and year, let say December 2016 and filters on service hours for that month and year.

Disclamer!
Im quite new to Splunk, so please excuse any missusing of commom terms and techniques, and feel free to correct me!

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Following should be added to your base search

<YourBaseSearch> AND (date_wday="monday" OR date_wday="tuesday" OR date_wday="wednesday" OR date_wday="thursday" OR date_wday="friday") AND (date_hour>=7 AND date_hour<=18)  

You can also do the following, however, for search query performance inclusion is better than exclusion

<YourBaseSearch> AND (date_wday!="saturday" AND date_wday!="sunday") AND (date_hour>=7 AND date_hour<=18) 

Since this is added to your base search you can save the same as eventtype like <your_index_sourcetype&gt_working_hour. You can similarly create a non_working_hour eventtype with reverse search filter.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

SplunkTrust
SplunkTrust

Following should be added to your base search

<YourBaseSearch> AND (date_wday="monday" OR date_wday="tuesday" OR date_wday="wednesday" OR date_wday="thursday" OR date_wday="friday") AND (date_hour>=7 AND date_hour<=18)  

You can also do the following, however, for search query performance inclusion is better than exclusion

<YourBaseSearch> AND (date_wday!="saturday" AND date_wday!="sunday") AND (date_hour>=7 AND date_hour<=18) 

Since this is added to your base search you can save the same as eventtype like <your_index_sourcetype&gt_working_hour. You can similarly create a non_working_hour eventtype with reverse search filter.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Path Finder

Thanks, @niketnilay!
But I will reuse exactly this time range filter in different search combinations. Would it be possible to extend the "Presets" list of Time range dropdown list so I can just apply this filter on different search combinations?

0 Karma

Path Finder

Important information about date_* (default datetime fields) is that only events which contains timestamp, generated from their systems, will get these default fields. See more at https://docs.splunk.com/Documentation/Splunk/6.5.1/Knowledge/Usedefaultfields

0 Karma

SplunkTrust
SplunkTrust

When you use it in the dropdown value, it will not evaluate as a search... It will just remain as a string. Where ever you run the query that is where you will append the string $selectedTimeWindow$

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

Following is what your Dropdown may look like

  <fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="selTimeWindow" searchWhenChanged="true">
      <label>Select Time Window</label>
      <choice value="(date_wday=&quot;monday&quot; OR date_wday=&quot;tuesday&quot; OR date_wday=&quot;wednesday&quot; OR date_wday=&quot;thursday&quot; OR date_wday=&quot;friday&quot;) AND (date_hour&gt;=7 AND date_hour&lt;=18)">Weekday Business Hours</choice>
      <choice value="(date_wday=&quot;saturday&quot; OR date_wday=&quot;sunday&quot;) AND (date_hour&gt;=7 AND date_hour&lt;=18)">Weekend Business Hours</choice>
      <choice value="(date_wday=&quot;monday&quot; OR date_wday=&quot;tuesday&quot; OR date_wday=&quot;wednesday&quot; OR date_wday=&quot;thursday&quot; OR date_wday=&quot;friday&quot;) AND (date_hour&lt;7 AND date_hour&gt;18)">Weekday Non Business Hours</choice>
      <choice value="(date_wday=&quot;saturday&quot; OR date_wday=&quot;sunday&quot;) AND  (date_hour&lt;7 AND date_hour&gt;18)">Weekend Non Business Hours</choice>
      <default>(date_wday="monday" OR date_wday="tuesday" OR date_wday="wednesday" OR date_wday="thursday" OR date_wday="friday") AND (date_hour&gt;=7 AND date_hour&lt;=18)</default>
      <initialValue>(date_wday="monday" OR date_wday="tuesday" OR date_wday="wednesday" OR date_wday="thursday" OR date_wday="friday") AND (date_hour&gt;=7 AND date_hour&lt;=18)</initialValue>
    </input>
  </fieldset>

You can then feed the value selected in Drop Down to your search:

    <search>
      <query>index=_internal sourcetype=splunkd AND $selTimeWindow$ 

| stats count by group

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

Yes You can define a Dropdown with two static options or Labels i.e. Businees Hours and Non-Business Hours and Values will be the two queries as string. You can finally append to searches.

If Drop Down name is selectedTimeWindow then your query will change to

  <Your Base Search> $selectedTimeWindow$ | 

Also instead of Eventtype you can define macros with the part of search query above and append to your own base search where ever required (also via Dropdown).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma