Dashboards & Visualizations

Display date/Time range in Dashbaord

Path Finder

i want display the date range in a dashboard.
please help me in doing this?

alt text

0 Karma

SplunkTrust
SplunkTrust

This has definitely been answered before. What you need to do is to introduce a dummy search with your time input tokens to get the Earliest and Latest time based on time input selection through predefined search job tokens i.e. $job.earliestTime$ and $job.latestTime$. PS: I have used <done> search event handler.


alt text


Following is a sample run anywhere dashboard for the attached image:

<form>
  <label>Show Time from Time Picker</label>
  <!-- Dummy search to pull selected time range earliest and latest date/time -->
  <search>
    <query>| makeresults</query>
    <earliest>$field1.earliest$</earliest>
    <latest>$field1.latest$</latest>
    <done>
      <eval token="tokTime">$job.earliestTime$</eval>
      <eval token="tokEarliestTime">strftime(strptime($job.earliestTime$,"%Y/%m/%dT%H:%M:%S.%3N %p"),"%m/%d/%y %I:%M:%S.%3N %p")</eval>
      <eval token="tokLatestTime">strftime(strptime($job.latestTime$,"%Y/%m/%dT%H:%M:%S.%3N %p"),"%m/%d/%y %I:%M:%S.%3N %p")</eval>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <!-- sample HTML Panel to display results in required format -->
      <html>
        ( $tokEarliestTime$ to $tokLatestTime$ )
      </html>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Path Finder

How to display this on the scheduled PDF? Its not generating in the scheduled PDF

0 Karma

SplunkTrust
SplunkTrust

@arayapati83, if you are trying this for Scheduled Dashboard then you have to make sure that is it not a form with inputs (i.e. root node of the view should be <dashboard> not <form>). Refer to the limitations of PDF Delivery of Dashboards in Splunk.

I tried the following and it worked fine for me:

<dashboard>
  <label>gooScheduled PDF with timestamp</label>
  <row>
    <panel>
      <title>Report runtime from $tokEarliestTime$ to $tokLatestTime$</title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!=INFO component=*
| timechart count by component limit=5 useother=f usenull=f</query>
          <earliest>-1d@d</earliest>
          <latest>-0d@d</latest>
          <sampleRatio>1</sampleRatio>
          <done>
            <eval token="tokEarliestTime">strftime(strptime($job.earliestTime$,"%Y/%m/%dT%H:%M:%S.%3N %p"),"%m/%d/%y %I:%M:%S.%3N %p")</eval>
            <eval token="tokLatestTime">strftime(strptime($job.latestTime$,"%Y/%m/%dT%H:%M:%S.%3N %p"),"%m/%d/%y %I:%M:%S.%3N %p")</eval>
          </done>          
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">area</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Path Finder

@niketnilay I copy pasted your code above into a dashboard and tried generating PDF. Even there I get Report runtime from $tokEarliestTime$ to $tokLatestTime$ .In the pdf the tokens are not getting resolved during runtime.

I had to remove some options in the above code as I got validation errors.. Could it be a different version of SPLUNK? we are using Splunk Version 6.5.3.1. Also tried on Splunk Version ............................................7.0.2 . Even there I didn't have to remove any options but the PDF generated didn't resolve the tokens

0 Karma

SplunkTrust
SplunkTrust

@arayapati83, yes I had created dashboard in Splunk 7.0.2 which has Trellis option (although I have not used). Trellis was not available in Splunk 6.5, as it was introduced in 6.6

I have not tested Scheduled PDF, but Export --> Export PDF option works fine for me (refer to screenshot attached). Could you please test Export PDF and confirm?

alt text

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Path Finder

@niketnilay export PDF shows fine, its the scheduled PDF that's the problem

0 Karma

SplunkTrust
SplunkTrust

@arayapati83, if you have valid Splunk Entitlement report this to Splunk Support. Since the original question here is on similar output but a different topic, please create a new question for Tokens working in Export PDF but not working in Scheduled PDF with BUG tag.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Path Finder

try this

earliest=-2d | stats last(time) as earliest first(time) as latest
| eval startDate=strftime(earliest, "%B %d %Y")
| eval endDate=strftime(latest, "%B %d %Y")
| eval reportstring = "Report: ".startDate."-".endDate
| fields reportstring

0 Karma

Path Finder

| stats last(time) as earliest first(time) as latest
| eval startDate=strftime(earliest, "%B-%d-%Y %H:%M:%S")
| eval endDate=strftime(latest, "%B-%d-%Y %H:%M:%S")
| eval reportstring = "Report From: ".startDate." To ".endDate
| fields reportstring

0 Karma

My slight variation on the answer by @SplunkersRock...

In my dashboards, I typically use a base search to generate a bunch of fields that I use across multiple visualizations (I've removed an initial stage and a bunch of fields from this example). I generate the basic time range values in that base search, then use a more specific search to format those values:

<search id="base_metrics">
  <query>stats count earliest(_time) as earliest, latest(_time) as latest</query>
  <earliest>$earliest$</earliest>
  <latest>$latest$</latest>
</search>
<search base="base_metrics">
  <query>eval startTime=strftime(earliest, "%x %H:%M:%S") | eval endTime=if(strftime(earliest, "%x")=strftime(latest, "%x"), strftime(latest, "%H:%M:%S"), strftime(latest, "%x %H:%M:%S")) | eval diff=(latest-earliest) | eval hours=floor(diff/3600) | eval minutes=floor((diff-(hours*3600))/60) | eval seconds=floor(diff-(hours*3600)-(minutes*60)) | eval duration=hours." hour".if(hours&gt;1,"s "," ").minutes." minute".if(minutes&gt;1,"s "," ").seconds." second".if(seconds&gt;1,"s","")
  <progress>
   <condition match="'job.resultCount' > 0">
    <set token="startTime">$result.startTime$</set>
    <set token="endTime">$result.endTime$</set>
    <set token="duration">$result.duration$</set>
    <set token="eventCount">$result.count$</set>
   </condition>
   <condition>
     <unset token="startTime"></unset>
     <unset token="endTime"></unset>
     <unset token="duration"></unset>
     <unset token="eventCount"></unset>
   </condition>
  </progress>
</search>

I then use those tokens in an HTML panel (I have chosen to embed this panel in the dashboard <fieldset>😞

<html depends="$eventCount$,$duration$,$startTime$,$endTime$">
  $eventCount$ events spanning $duration$ ($startTime$ to $endTime$)
</html>

Example output:

114983 events spanning 1 hour 10 minutes 57 seconds (8/14/17 06:09:54 - 07:20:51)

The faffing around with if, eval, and strftime in the query is an evolving work-in-progress to generate concise, readable output. For example, if the start and end times have the same date, omit the end date.

Feedback, suggestions welcome.

0 Karma

SplunkTrust
SplunkTrust

what is the purpose of the dashboard? in what context would you like to present that data?
you can grab this data by searching the search log or audit log... and then present the results as you wish

0 Karma

Path Finder

i want to display earliest and latest time ranges in
mm/dd/yy hh:mm:ss format as a dynamic title to a panel

0 Karma

SplunkTrust
SplunkTrust

so you want the panel to have the times according to the search that runs within the panel?
how do you determine that time range? do you have a timepicker input?

0 Karma

Path Finder

Yes,i am using time picker input
field1.earliest
field1.latest

0 Karma

SplunkTrust
SplunkTrust

@sravankaripe, you need to use hideTitle="true" to hide Splunk's default dashboard title and then use HTML Panel to create your own title. You can display time using the option in my answer below.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma