Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Dashboard Input Error When Time Is Set As "All...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey guys, i'm new to splunk and i really need ur help!!!
i built a form with an input
<input type="time" token="time1" searchWhenChanged="true">
<label>Time</label>
<default>
<earliestTime>-24h@d</earliestTime>
<latestTime>@d</latestTime>
</default>
</input>
and my search string is
<query>
index=ha "ha_fids: Terminating CM" earliest=$time1.earliest$ latest=$time1.latest$
| eval time=_time
| stats count by time
| SORT -time
| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(time)
| rename time as WarningTime
| table WarningTime
</query>
everything works fine except an error occurs when i choose "all time" on the input bar :
"Error in 'search' command: unable to parse the search: Comparator '=' is missing a term on the right hand side."
my guess was when i choose "all time", earliest=$time1.earliest$, which is null. so i tried with double quotes around the tokens.
earliest="$time1.earliest$" latest="$time1.latest$"
no errors occur and no results are found. so how do i correct my search string?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Luies,
I see that you are using splunk 6.2 if it is the case we change earliestTime and latestTime into earliest and latest in your input setting
Try to to use the time range like this:enter code here
<search>
<query>
index=ha "ha_fids: Terminating CM"
| eval time=_time
| stats count by time
| SORT -time
| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(time)
| rename time as WarningTime
| table WarningTime
</query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
</search>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Luies,
I see that you are using splunk 6.2 if it is the case we change earliestTime and latestTime into earliest and latest in your input setting
Try to to use the time range like this:enter code here
<search>
<query>
index=ha "ha_fids: Terminating CM"
| eval time=_time
| stats count by time
| SORT -time
| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(time)
| rename time as WarningTime
| table WarningTime
</query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
</search>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What if those tokens should work on a sub-search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your problem here is that "All time" doesn't use an earliest or latest time, it simply searches through everything. Which is probably whats causing your error, Why are you using earliest and latest time in your searches? Surely you should use a timepicker in your dashboard and use those values as your search string.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
