Dashboards & Visualizations

Custom Time dropdown

AKG11
Path Finder

Hi,

I am looking to add a custom time picker on dashboard.  Its going to be Simple dropdown with option of  last 12 months (one option to each month in last 1 year)

I have created dropdown as per requirement. Now wondering how to use it in rest of the dashboard so dashboard will get updated as per selection.

Query

| makeresults
| addinfo 
| eval date=mvrange(info_min_time,info_max_time,"1mon") 
| mvexpand date
| sort - date
| eval Month=strftime(date,"%b-%y")
| table Month date

AKG11_0-1708091980599.png

 

Labels (3)
0 Karma
1 Solution

AKG11
Path Finder

Found Solution.

  <search base="basesearch_time">
    <query> | where Month="$month_token$"
        | table start end
        </query>
    <done>
      <set token="start">$result.start$</set>
      <set token="end">$result.end$</set>
    </done>
  </search>



 <input type="dropdown" token="month_token" searchWhenChanged="true">
      <label>Month's Report</label>
      <fieldForLabel>Month</fieldForLabel>
      <fieldForValue>Month</fieldForValue>
      <search id="basesearch_time">
        <query>| makeresults 
| addinfo 
| eval date=mvrange(info_min_time,info_max_time,"1mon") 
| mvexpand date 
| sort - date 
| eval Month=strftime(date,"%b-%y") 
| eval start=round(relative_time(date,"@mon"),0), end=round(relative_time(date, "@mon+1mon-1d")+86400,0)
| table Month start end</query>
        <earliest>-12mon@mon</earliest>
        <latest>@mon</latest>
      </search>
      <selectFirstChoice>true</selectFirstChoice>
    </input>

 

View solution in original post

0 Karma

AKG11
Path Finder

Found Solution.

  <search base="basesearch_time">
    <query> | where Month="$month_token$"
        | table start end
        </query>
    <done>
      <set token="start">$result.start$</set>
      <set token="end">$result.end$</set>
    </done>
  </search>



 <input type="dropdown" token="month_token" searchWhenChanged="true">
      <label>Month's Report</label>
      <fieldForLabel>Month</fieldForLabel>
      <fieldForValue>Month</fieldForValue>
      <search id="basesearch_time">
        <query>| makeresults 
| addinfo 
| eval date=mvrange(info_min_time,info_max_time,"1mon") 
| mvexpand date 
| sort - date 
| eval Month=strftime(date,"%b-%y") 
| eval start=round(relative_time(date,"@mon"),0), end=round(relative_time(date, "@mon+1mon-1d")+86400,0)
| table Month start end</query>
        <earliest>-12mon@mon</earliest>
        <latest>@mon</latest>
      </search>
      <selectFirstChoice>true</selectFirstChoice>
    </input>

 

0 Karma

anooshac
Communicator

Hi @AKG11 ,

I'm trying to use your solution. I have used this query to populate dropdown.

| makeresults
| addinfo 
| eval date=mvrange(info_min_time,info_max_time,"1mon") 
| mvexpand date
| sort - date
| eval Month=strftime(date,"%b-%y")
| table Month date

May i know how did you use this token from drill down in searches? So that searches whill take the exact month selected?

0 Karma

AKG11
Path Finder

@anooshac  There is 2nd part of this query. In this section based on month selection it will set earliest and latest time in  "start" and "end" token. use these token in respective search. basically these token have earliest and latest time in epoch format for selected month. 

PS: I have to use separate sub search because $result.token_name$ only works for 1 entry.

  <search base="basesearch_time">
    <query> | where Month="$month_token$"
        | table start end
        </query>
    <done>
      <set token="start">$result.start$</set>
      <set token="end">$result.end$</set>
    </done>
  </search>

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

Could you also tell what you want to do with those values? Are you looking events based on it for only 1 month at time or what you are looking for?

Basically do something like this:

<form version="1.1" theme="light">
  <label>Create month base time picker</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="timePicker" searchWhenChanged="true">
      <label>Month Year</label>
      <fieldForLabel>Month</fieldForLabel>
      <fieldForValue>rTime</fieldForValue>
      <search>
        <query>| makeresults count=12
| streamstats count
| eval rTime = relative_time(now(), "-". count . "mon")
| eval Month = strftime(rTime,"%b-%y")
| table rTime Month</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
</form>

Then add this token "$timePicker$" to your other searches like

    <panel>
      <title>Simple timechart</title>
      <chart>
        <title>SOMETHING</title>
        <search>
          <query>YOUR QUERY HERE</query>
          <earliest>$timePicker.earliest$</earliest>
          <latest>$timePicker.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
      </chart>
    </panel>

But when you want to show event e.g. within one month at time, you must use another tokens on dashboard. You must use set those e.g. tokEarliest and tokLatest based on first and last second based on your selection and then use those instead of $timePicker.earliest$ and $timePicker.latest$.

r. Ismo

0 Karma

AKG11
Path Finder

Thanks. Doesn't seems like working.  Token value is not getting set as display in title.
AKG11_0-1708106189518.png

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...