Dashboards & Visualizations

Custom Splunk query with relative time

faustf
Communicator

Hi guys,
I'm trying to create a custom dashboard.
I've added a DropDown input with the following parameters:

  1. token failureId
  2. query= myquery
  3. Field for label= Date
  4. Field for Value= FailureID

I would like to create a graph line where the time range is between: ($failureId$/1000)-15minutes and ($failureId$/1000)

how can i configure the chart panel to perform this query?
thanks

0 Karma
1 Solution

niketn
Legend

You would need to code Dropdown change event because you are trying to perform calculation on selection of value in Dropdown.

You also need to
- Either provide a default value for Dropdown and enable search on change to allow your dashboard to load for the first time.
- Or else set depends in the second panel on the tokens $Earliest$ and $Latest$ because for the first time Panel can not be displayed without these values.

  <change>
    <eval token="Earliest">relative_time($value$/1000000,"-15m")</eval>
    <eval token="Latest">$value$/1000000</eval>
  </change>

Once you have set the token in the Dropdown on selecting/changing dropdown value, you can use the same in your second panel as you have mentioned before... i.e. by adding following to your search.

      <earliest>$Earliest$</earliest>
      <latest>$Latest$</latest>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

You would need to code Dropdown change event because you are trying to perform calculation on selection of value in Dropdown.

You also need to
- Either provide a default value for Dropdown and enable search on change to allow your dashboard to load for the first time.
- Or else set depends in the second panel on the tokens $Earliest$ and $Latest$ because for the first time Panel can not be displayed without these values.

  <change>
    <eval token="Earliest">relative_time($value$/1000000,"-15m")</eval>
    <eval token="Latest">$value$/1000000</eval>
  </change>

Once you have set the token in the Dropdown on selecting/changing dropdown value, you can use the same in your second panel as you have mentioned before... i.e. by adding following to your search.

      <earliest>$Earliest$</earliest>
      <latest>$Latest$</latest>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

rjthibod
Champion

Assuming your running Splunk 6.3 or newer, you can use the <change> element on the dropdown to set the time values accordingly. The following assumes you are using a global time picker atop of the dashboard. If you are using a timepicker with a specific name, you will need to change the token names to form.<TIME_TOKEN_NAME>.earliest and form.<TIME_TOKEN_NAME>.latest.

<input token="failureId" type="dropdown">
   ...
  <change>
    <condition label="*">
      <eval token="earliest">round('value'/1000000, 3) - 15*60</set>
      <eval token="latest">round('value'/1000000, 3)</set>
    </condition>
  </change>
</input>
0 Karma

faustf
Communicator

This seems interesting but I don't need to modify the dropdown, instead, I need to modify the query that create the line chart based on the value selected in the dropDown:

<panel>
      <input type="dropdown" token="failureID">
        <label>FailureID</label>
        <fieldForLabel>Date</fieldForLabel>
        <fieldForValue>FailureID</fieldForValue>
        <search>
          <query>myquery</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
      </input>
      <chart>
        <search>
          <query>index=myindex ALARM="ALARM" | timechart count</query>
          <earliest>$failureID$/1000 - 15 minutes</earliest>
          <latest>$failureID$/1000</latest>
        </search>
        <option name="charting.chart">line</option>
      </chart>
    </panel>

is it possible?

0 Karma

faustf
Communicator

This is working

<chart>
        <search>
          <query>index=myindex ALARM="ALARM" | timechart count</query>
          <earliest>$failureID$</earliest>
          <latest></latest>
        </search>
        <option name="charting.chart">line</option>
</chart>

But I need to subtract -15 minute from <earliest>$failureID$</earliest>

0 Karma

rjthibod
Champion

The example I gave you should do what you want because it is directly modifying the search time period for the chart. I suggsest you try what I posted after you remove the earliest and latest from the chart.

0 Karma

faustf
Communicator

you are right it worked.

0 Karma

nickhills
Ultra Champion

I am not sure what you mean by ($failureId$/1000)
Do you mean that your failure id is a large number eg 37000, and you are trying to convert this to 37?
or - are you trying to trying to divide the number of occurrences of a given failure id by 1000?
Whilst i am asking questions, what is the significance of -15 from a failure id?

If my comment helps, please give it a thumbs up!
0 Karma

faustf
Communicator

The failureID is a TimeStamp like this: 1487753100000000 but to let Splunk treat this timestamp I have to perform this division: 1487749956/1000000 (sorry it is not 1000 but 1000000)

For example the following is a query that I created and it's working

index=myindex sourcetype="csv" Resource=myres  myfield=* FailureID=*  | eval _time=(FailureID/1000000) | table _time, myfield

Then I want to get all the logs that are between my (FailureIDTimestamp - 15 minutes) and FailureIDTimestamp.

0 Karma

niketn
Legend

Another thing you need to explain about -15 min. Is it 15 minutes prior to the DateTime value selected as Label in the Dropdown?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

faustf
Communicator

Yes, the user select the failureID (that is my type of timestamp) in the dropdown (the token of the dropdown is $failureId$) and I what to perform a query to create a line chart using this time range: [$failureId$/1000000 - 15m, $failureId$/1000000 ]

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...