Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Dashboards & Visualizations
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Dynamically passing time-picker token in start...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dynamically passing time-picker token in startime for "|gentimes"
egonstep
Path Finder
10-07-2019
06:55 AM
Hello all, I have a dashboard and I need the "|gentimes" command to generate dynamic values accordingly to the selected time picker. Picking up the earliest event from the search.
| gentimes start=$field1.earliest$ increment=3h
| convert timeformat="%Y/%m/%d - %H" ctime(starttime)
| rename starttime as date
| table date
I tried to search inside the start argument but It throws an error:
[subsearch]: command="gentimes", generatetimestamps requires start=mm/dd/yyyy:hh:mm:ss and optional takes 'end' and 'increment' values
The full query (with gentimes error):
base search
| append
[| gentimes start= [search "base search"
| tail 1
| convert timeformat="%m/%d/%Y:%H:%M:%S" ctime(_time) as dt
| eval firstEvent = dt
| return $firstEvent] increment=3h
| convert timeformat="%Y/%m/%d - %H" ctime(starttime)
| rename starttime as defaultDate
| table defaultDate]
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
10-07-2019
09:27 PM
Make the subsearch in gentimes into a post process/base search and pass a token. I believe the reason it doesn't work is the way that it passes the argument.
<dashboard>
......
<search>
<query>"base search"
| tail 1
| convert timeformat="%m/%d/%Y:%H:%M:%S" ctime(_time) as dt
| return $dt</query>
<done>
<set token="token">$result.dt$</set>
</done>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
<row>
<panel>
<table>
<search>
<query>base search
| append
[| gentimes start=$token$ increment=3h| convert timeformat="%Y/%m/%d - %H" ctime(starttime)
| rename starttime as defaultDate
| table defaultDate]</query>
.........
</dashboard>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
egonstep
Path Finder
10-08-2019
10:23 AM
@cmerriman Thanks for your response. But unfortunately, it throws another error:
[subsearch]: command='gentimes', invalid literal for int() with base 10: "$result.dt$"
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
