Solved: Re: Dynamically add a day to latest time?

dreamwork801 · ‎07-18-2014

I am changing the Simple XML for a drilldown to go to another panel on my dashboard.
Currently there is a linegraph and you can click on any point to see more information about it, but I want to bring the dates with it. I can easily set the earliest date to the date that is on the chart, but obviously if I also set the latest date as the same date on the chart, nothing will show up, because Splunk includes the time in the date as well.

So the drilldown XML code looks like this

<drilldown>
    <link>
      <![CDATA[ request_stats?form.sourcetype=$click.name2$&early=$click.value$&form.team=$team$&form.app=$app$ ]]>
    </link>
  </drilldown>

And the search I'm running takes in the time like this:

"Name" = "$form.sourcetype$" earliest=$early$ [search "AppName" = "Master" "Status" = "500" | fields + ContextId]

And I want to enter the latest time as something like latest=earliest+1d
With the idea in mind that if earliest is set to July 18th 2014 at midnight, then latest would be set to July 19th 2014 at midnight

Or if I could set it in the URL for the drilldown, I just don't know how to do either. Feel free to ask a question for clarification on what I said above

somesoni2 · ‎07-18-2014

Try this

Name="$form.sourcetype$" earliest=$early$ latest=[|gentimes start=-1 | eval t=relative_time($early$,"+d")| return $t][search AppName="Master" Status=500 | fields ContextId]

View solution in original post

somesoni2 · ‎07-18-2014

Try this

Name="$form.sourcetype$" earliest=$early$ latest=[|gentimes start=-1 | eval t=relative_time($early$,"+d")| return $t][search AppName="Master" Status=500 | fields ContextId]

dreamwork801 · ‎07-18-2014

That worked perfectly! Thank you

martin_mueller · ‎07-18-2014

That $t may throw off the dashboard, you'll need to escape it with another dollar sign.

martin_mueller · ‎07-18-2014

You could do this:

Name="$form.sourcetype$" earliest=$early$ latest=`relative_time($early$, "+d")` [search AppName="Master" Status=500 | fields ContextId]

That's an eval-based macro (Settings -> Advanced Search -> Macros) you need to define as relative_time(2) with two parameters time,relative and this body:

 relative_time($time$, "$relative$")

martin_mueller · ‎07-18-2014

You should take a look at getting the macro to work - it'll be miles faster than launching an entire subsearch just to do a tiny calculation.

You know the search for AppName="Master" isn't affected by the outer earliest and latest, right?

martin_mueller · ‎07-18-2014

Check the relevant part of your macros.conf if it looks like this:

[relative_time(2)]
args = time,relative
definition = relative_time($time$, "$relative$")
iseval = 1

Also make sure you have the appropriate backticks around the macro call:

... latest=`relative_time($early$, "+d")` ...

dreamwork801 · ‎07-18-2014

I'm getting an invalid value "relative_time" for time term 'latest'

I put relative_time(2) as the name
I put time,relative as arguments (it wouldn't let me use $ signs)
I put relative_time($time$, "$relative$") in the definition

Dynamically add a day to latest time?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation