- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Hi guys,
I'm trying to create a custom dashboard.
I've added a DropDown input with the following parameters:
- token failureId
- query= myquery
- Field for label= Date
- Field for Value= FailureID
I would like to create a graph line where the time range is between: ($failureId$/1000)-15minutes and ($failureId$/1000)
how can i configure the chart panel to perform this query?
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

You would need to code Dropdown change event because you are trying to perform calculation on selection of value in Dropdown.
You also need to
- Either provide a default value for Dropdown and enable search on change to allow your dashboard to load for the first time.
- Or else set depends in the second panel on the tokens $Earliest$ and $Latest$ because for the first time Panel can not be displayed without these values.
<change>
<eval token="Earliest">relative_time($value$/1000000,"-15m")</eval>
<eval token="Latest">$value$/1000000</eval>
</change>
Once you have set the token in the Dropdown on selecting/changing dropdown value, you can use the same in your second panel as you have mentioned before... i.e. by adding following to your search.
<earliest>$Earliest$</earliest>
<latest>$Latest$</latest>
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

You would need to code Dropdown change event because you are trying to perform calculation on selection of value in Dropdown.
You also need to
- Either provide a default value for Dropdown and enable search on change to allow your dashboard to load for the first time.
- Or else set depends in the second panel on the tokens $Earliest$ and $Latest$ because for the first time Panel can not be displayed without these values.
<change>
<eval token="Earliest">relative_time($value$/1000000,"-15m")</eval>
<eval token="Latest">$value$/1000000</eval>
</change>
Once you have set the token in the Dropdown on selecting/changing dropdown value, you can use the same in your second panel as you have mentioned before... i.e. by adding following to your search.
<earliest>$Earliest$</earliest>
<latest>$Latest$</latest>
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Assuming your running Splunk 6.3 or newer, you can use the <change>
element on the dropdown to set the time values accordingly. The following assumes you are using a global time picker atop of the dashboard. If you are using a timepicker with a specific name, you will need to change the token names to form.<TIME_TOKEN_NAME>.earliest
and form.<TIME_TOKEN_NAME>.latest
.
<input token="failureId" type="dropdown">
...
<change>
<condition label="*">
<eval token="earliest">round('value'/1000000, 3) - 15*60</set>
<eval token="latest">round('value'/1000000, 3)</set>
</condition>
</change>
</input>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

This seems interesting but I don't need to modify the dropdown, instead, I need to modify the query that create the line chart based on the value selected in the dropDown:
<panel>
<input type="dropdown" token="failureID">
<label>FailureID</label>
<fieldForLabel>Date</fieldForLabel>
<fieldForValue>FailureID</fieldForValue>
<search>
<query>myquery</query>
<earliest>0</earliest>
<latest></latest>
</search>
</input>
<chart>
<search>
<query>index=myindex ALARM="ALARM" | timechart count</query>
<earliest>$failureID$/1000 - 15 minutes</earliest>
<latest>$failureID$/1000</latest>
</search>
<option name="charting.chart">line</option>
</chart>
</panel>
is it possible?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

This is working
<chart>
<search>
<query>index=myindex ALARM="ALARM" | timechart count</query>
<earliest>$failureID$</earliest>
<latest></latest>
</search>
<option name="charting.chart">line</option>
</chart>
But I need to subtract -15 minute from <earliest>$failureID$</earliest>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

The example I gave you should do what you want because it is directly modifying the search time period for the chart. I suggsest you try what I posted after you remove the earliest
and latest
from the chart
.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

you are right it worked.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

I am not sure what you mean by ($failureId$/1000)
Do you mean that your failure id is a large number eg 37000, and you are trying to convert this to 37?
or - are you trying to trying to divide the number of occurrences of a given failure id by 1000?
Whilst i am asking questions, what is the significance of -15 from a failure id?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

The failureID is a TimeStamp like this: 1487753100000000 but to let Splunk treat this timestamp I have to perform this division: 1487749956/1000000 (sorry it is not 1000 but 1000000)
For example the following is a query that I created and it's working
index=myindex sourcetype="csv" Resource=myres myfield=* FailureID=* | eval _time=(FailureID/1000000) | table _time, myfield
Then I want to get all the logs that are between my (FailureIDTimestamp - 15 minutes) and FailureIDTimestamp.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Another thing you need to explain about -15 min. Is it 15 minutes prior to the DateTime value selected as Label in the Dropdown?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Yes, the user select the failureID (that is my type of timestamp) in the dropdown (the token of the dropdown is $failureId$) and I what to perform a query to create a line chart using this time range: [$failureId$/1000000 - 15m, $failureId$/1000000 ]
