Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Drilldown with dynamic relative_time

Micke
Observer
‎01-13-2023 04:45 AM

I am trying to drilldown within a dashboard. I wish set a token-value with relative_time, using a dynamic relative time specifier input-variable.

If I set the relative time specifier to "+1h" it works fine: <eval token="endTime_token">relative_time($startTime_token$, "+1h")</eval>

But when I use a token with value "1h" it does not: <eval token="endTime_token2">relative_time($startTime_token$, "+$resultion_token$"</eval>

I paste my complete code as reference:

 

 

<form>
<label>Drilldown-lab</label>
<fieldset submitButton="false">
    <input type="time" token="period_token">
      <label>Period</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>@h</latest>
      </default>
    </input>
    <input type="dropdown" token="resolution_token">
      <label>Resolution</label>
      <choice value="15m">15 minutes</choice>
      <choice value="1h">1 hour</choice>
      <default>1h</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Overview-panel</title>
      <table>
        <search>
          <query>
            index="my_index"
            | bin _time span=$resolution_token$
            | eval startTime = strftime(_time, "%Y-%m-%d %H:%M")
            | stats count by startTime
            </query>
          <earliest>$period_token.earliest$</earliest>
          <latest>$period_token.latest$</latest>
        </search>
        <option name="drilldown">row</option>
        <drilldown>
          <eval token="startTime_token">strptime($row.startTime$, "%Y-%m-%d %H:%M")</eval>
          <eval token="endTime_token">relative_time($startTime_token$, "+1h")</eval>
          <eval token="endTime_token2">relative_time($startTime_token$, "+$resultion_token$"</eval>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$startTime_token$">
      <title>Drilldown-panel $endTime_token$, $endTime_token2$</title>
      <table>
        <search>
          <query>
            index="my_index"
            | stats avg(responseTimeMs) as Responsetime_avg count by assetId
          </query>
          <earliest>$startTime_token$</earliest>
          <latest>$endTime_token$</latest>
        </search>
      </table>
    </panel>
  </row>
</form>

 

 

 

 I am able to calculate the endTime-value in my query (SPL), I would prefer to be able to set it with "eval token".

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-13-2023 05:12 AM

Apart from fixing the typo, try this

<eval token="endTime_token2">relative_time($startTime_token$, "+".$resolution_token$</eval>
0 Karma
Reply

Micke
Observer
‎01-13-2023 05:27 AM

Works perfect, thank you (and also for pointing out the typo)!

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...