Dashboards & Visualizations
Highlighted

Dynamically add a day to latest time?

Path Finder

I am changing the Simple XML for a drilldown to go to another panel on my dashboard.
Currently there is a linegraph and you can click on any point to see more information about it, but I want to bring the dates with it. I can easily set the earliest date to the date that is on the chart, but obviously if I also set the latest date as the same date on the chart, nothing will show up, because Splunk includes the time in the date as well.

So the drilldown XML code looks like this

<drilldown>
    <link>
      <![CDATA[ request_stats?form.sourcetype=$click.name2$&early=$click.value$&form.team=$team$&form.app=$app$ ]]>
    </link>
  </drilldown>

And the search I'm running takes in the time like this:

"Name" = "$form.sourcetype$" earliest=$early$ [search "AppName" = "Master" "Status" = "500" | fields + ContextId]

And I want to enter the latest time as something like latest=earliest+1d
With the idea in mind that if earliest is set to July 18th 2014 at midnight, then latest would be set to July 19th 2014 at midnight

Or if I could set it in the URL for the drilldown, I just don't know how to do either. Feel free to ask a question for clarification on what I said above

Highlighted

Re: Dynamically add a day to latest time?

SplunkTrust
SplunkTrust

You could do this:

Name="$form.sourcetype$" earliest=$early$ latest=`relative_time($early$, "+d")` [search AppName="Master" Status=500 | fields ContextId]

That's an eval-based macro (Settings -> Advanced Search -> Macros) you need to define as relative_time(2) with two parameters time,relative and this body:

 relative_time($time$, "$relative$")
0 Karma
Highlighted

Re: Dynamically add a day to latest time?

Path Finder

I'm getting an invalid value "relative_time" for time term 'latest'

I put relativetime(2) as the name
I put time,relative as arguments (it wouldn't let me use $ signs)
I put relative
time($time$, "$relative$") in the definition

0 Karma
Highlighted

Re: Dynamically add a day to latest time?

SplunkTrust
SplunkTrust

Check the relevant part of your macros.conf if it looks like this:

[relative_time(2)]
args = time,relative
definition = relative_time($time$, "$relative$")
iseval = 1

Also make sure you have the appropriate backticks around the macro call:

... latest=`relative_time($early$, "+d")` ...
0 Karma
Highlighted

Re: Dynamically add a day to latest time?

SplunkTrust
SplunkTrust

You should take a look at getting the macro to work - it'll be miles faster than launching an entire subsearch just to do a tiny calculation.

You know the search for AppName="Master" isn't affected by the outer earliest and latest, right?

0 Karma
Highlighted

Re: Dynamically add a day to latest time?

SplunkTrust
SplunkTrust

Try this

Name="$form.sourcetype$" earliest=$early$ latest=[|gentimes start=-1 | eval t=relative_time($early$,"+d")| return $t][search AppName="Master" Status=500 | fields ContextId]

View solution in original post

Highlighted

Re: Dynamically add a day to latest time?

SplunkTrust
SplunkTrust

That $t may throw off the dashboard, you'll need to escape it with another dollar sign.

Highlighted

Re: Dynamically add a day to latest time?

Path Finder

That worked perfectly! Thank you

0 Karma