Re: Dashboard search "eval" token returns wrong re...

gabriel_vasseur · ‎07-14-2016

In my dashboard:

<dashboard>
  <label>...</label>
  <search id="basesearch">
    <query>...</query>
    <earliest>-7d@w1</earliest>
    <latest>@w1</latest>
    <preview>
      <eval token="earliest_token">$job.request.earliest_time$</eval>
      <eval token="earliest_token2">strftime( relative_time( now(), $job.request.earliest_time$ ), "%d/%m/%Y %H:%M" )</eval>
    </preview>
  </search>
  <row>
    <panel depends="$earliest_token$">
      <html>
        <p>Earliest $earliest_token$ converts to $earliest_token2$</p>
      </html>
    </panel>
  </row>
  ...

This displays:

Earliest -7d@w1 converts to 05/07/2016 00:00

Which is wrong: It should be the 4th of July. The other panels in the dashboard, all fed by the base search, are indeed showing data starting from the 4th of July. And if I run this in a regular search window:

| stats count | eval count=strftime( relative_time( now(), "-7d@w1" ), "%c" )

I get the right result:

Mon Jul 4 00:00:00 2016

So why is my dashboard eval lying?

dajomas · ‎07-03-2022

@gabriel_vasseur did you ever get this issue fixed? My dashboard just started to show the same issue after it ran ok for over a week. (Running Splunk 9.0.0)

ITWhisperer · ‎07-03-2022

This does look like a defect that has been re-introduced with 9.0.0. Please raise a ticket with your support team.

Having said that, it appears to be a problem for tokens not for SPL in dashboards. Can you work around it by modifying your search queries?

dajomas · ‎07-04-2022

Unfortunately, there is this weird thing, where it DOES work on my mobile but not on my laptop (using Chrome)

Thing is, I use a drilldown in a bar graph to set the year and month for another bar graph (first bargraph is a monthly total for a given year, second bar graph is a daily total for a given month. When you click on a specific month, it shoul show that month in the second bar graph, but it show a month earlier. Same for a third graph that shows a specific day, which you can select by clicking on a date in the second bargraph.)

Now, when I open the search in a separate window and I add the exact same evals which are used in the dropdown, the correct values are shown. But when I click in the graph, the wrong values are used (the values from 1 bar to the left)

sundareshr · ‎07-14-2016

I just test this, & I get Earliest -7d@w1 converts to 04/07/2016 00:00

<dashboard>
   <label>...</label>
   <search id="basesearch">
     <query>index=_internal | head 1</query>
     <earliest>-7d@w1</earliest>
     <latest>@w1</latest>
     <preview>
       <eval token="earliest_token">$job.request.earliest_time$</eval>
       <eval token="earliest_token2">strftime( relative_time( now(), $job.request.earliest_time$ ), "%d/%m/%Y %H:%M" )</eval>
     </preview>
   </search>
   <row>
     <panel depends="$earliest_token$">
       <html>
         <p>Earliest $earliest_token$ converts to $earliest_token2$</p>
       </html>
     </panel>
   </row>
</dashboard>

gabriel_vasseur · ‎07-14-2016

I can't see any difference in your code, compared to mine, so I'm guessing what you're saying is "WFM"? 😞

sundareshr · ‎07-14-2016

I copied your code 🙂

Dashboard search "eval" token returns wrong result, same code gets right answer when run in search window

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application