Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Custom Splunk query with relative time

faustf
Communicator
‎02-21-2017 11:51 PM

Hi guys,
I'm trying to create a custom dashboard.
I've added a DropDown input with the following parameters:

  1. token failureId
  2. query= myquery
  3. Field for label= Date
  4. Field for Value= FailureID

I would like to create a graph line where the time range is between: ($failureId$/1000)-15minutes and ($failureId$/1000)

how can i configure the chart panel to perform this query?
thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎02-22-2017 02:50 AM

You would need to code Dropdown change event because you are trying to perform calculation on selection of value in Dropdown.

You also need to
- Either provide a default value for Dropdown and enable search on change to allow your dashboard to load for the first time.
- Or else set depends in the second panel on the tokens $Earliest$ and $Latest$ because for the first time Panel can not be displayed without these values. 

  <change>
    <eval token="Earliest">relative_time($value$/1000000,"-15m")</eval>
    <eval token="Latest">$value$/1000000</eval>
  </change>

Once you have set the token in the Dropdown on selecting/changing dropdown value, you can use the same in your second panel as you have mentioned before... i.e. by adding following to your search.

      <earliest>$Earliest$</earliest>
      <latest>$Latest$</latest>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎02-22-2017 02:50 AM

You would need to code Dropdown change event because you are trying to perform calculation on selection of value in Dropdown.

You also need to
- Either provide a default value for Dropdown and enable search on change to allow your dashboard to load for the first time.
- Or else set depends in the second panel on the tokens $Earliest$ and $Latest$ because for the first time Panel can not be displayed without these values. 

  <change>
    <eval token="Earliest">relative_time($value$/1000000,"-15m")</eval>
    <eval token="Latest">$value$/1000000</eval>
  </change>

Once you have set the token in the Dropdown on selecting/changing dropdown value, you can use the same in your second panel as you have mentioned before... i.e. by adding following to your search.

      <earliest>$Earliest$</earliest>
      <latest>$Latest$</latest>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

rjthibod
Champion
‎02-22-2017 01:45 AM

Assuming your running Splunk 6.3 or newer, you can use the <change> element on the dropdown to set the time values accordingly. The following assumes you are using a global time picker atop of the dashboard. If you are using a timepicker with a specific name, you will need to change the token names to form.<TIME_TOKEN_NAME>.earliest and form.<TIME_TOKEN_NAME>.latest.

<input token="failureId" type="dropdown">
   ...
  <change>
    <condition label="*">
      <eval token="earliest">round('value'/1000000, 3) - 15*60</set>
      <eval token="latest">round('value'/1000000, 3)</set>
    </condition>
  </change>
</input>
0 Karma
Reply
Solved! Jump to solution

faustf
Communicator
‎02-22-2017 02:14 AM

This seems interesting but I don't need to modify the dropdown, instead, I need to modify the query that create the line chart based on the value selected in the dropDown:

<panel>
      <input type="dropdown" token="failureID">
        <label>FailureID</label>
        <fieldForLabel>Date</fieldForLabel>
        <fieldForValue>FailureID</fieldForValue>
        <search>
          <query>myquery</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
      </input>
      <chart>
        <search>
          <query>index=myindex ALARM="ALARM" | timechart count</query>
          <earliest>$failureID$/1000 - 15 minutes</earliest>
          <latest>$failureID$/1000</latest>
        </search>
        <option name="charting.chart">line</option>
      </chart>
    </panel>

is it possible?

0 Karma
Reply
Solved! Jump to solution

faustf
Communicator
‎02-22-2017 02:29 AM

This is working 

<chart>
        <search>
          <query>index=myindex ALARM="ALARM" | timechart count</query>
          <earliest>$failureID$</earliest>
          <latest></latest>
        </search>
        <option name="charting.chart">line</option>
</chart>

But I need to subtract -15 minute from <earliest>$failureID$</earliest>

0 Karma
Reply
Solved! Jump to solution

rjthibod
Champion
‎02-22-2017 02:37 AM

The example I gave you should do what you want because it is directly modifying the search time period for the chart. I suggsest you try what I posted after you remove the earliest and latest from the chart.

0 Karma
Reply
Solved! Jump to solution

faustf
Communicator
‎02-22-2017 03:03 AM

you are right it worked.

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎02-22-2017 12:31 AM

I am not sure what you mean by ($failureId$/1000)
Do you mean that your failure id is a large number eg 37000, and you are trying to convert this to 37?
or - are you trying to trying to divide the number of occurrences of a given failure id by 1000?
Whilst i am asking questions, what is the significance of -15 from a failure id?

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

faustf
Communicator
‎02-22-2017 12:48 AM

The failureID is a TimeStamp like this: 1487753100000000 but to let Splunk treat this timestamp I have to perform this division: 1487749956/1000000 (sorry it is not 1000 but 1000000)

For example the following is a query that I created and it's working

index=myindex sourcetype="csv" Resource=myres  myfield=* FailureID=*  | eval _time=(FailureID/1000000) | table _time, myfield

Then I want to get all the logs that are between my (FailureIDTimestamp - 15 minutes) and FailureIDTimestamp.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎02-22-2017 12:41 AM

Another thing you need to explain about -15 min. Is it 15 minutes prior to the DateTime value selected as Label in the Dropdown?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

faustf
Communicator
‎02-22-2017 12:51 AM

Yes, the user select the failureID (that is my type of timestamp) in the dropdown (the token of the dropdown is $failureId$) and I what to perform a query to create a line chart using this time range: [$failureId$/1000000 - 15m, $failureId$/1000000 ]

0 Karma
Reply
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...