Solved: How can I set the default value of 2 tokens during...

toutla · ‎08-24-2020

I have been able to set the value of 2 tokens anytime the timepicker is changed by using the below code:

<label>Time Range</label>

</default>

<eval token="relstart_time">strftime(relative_time(now(), 'time_token.earliest'), "%m/%d/%Y %T")</eval>

<eval token="relend_time">strftime(relative_time(now(), 'time_token.latest'), "%m/%d/%Y %T")</eval>

</change>

</input>

However, upon page load both tokens reflect the value of now() instead of the default earliest/latest values. The values will not update until I change the timepicker. I have attempted to use multiple variations of the below settings in the <init> tag, is this the right way to go, and if so, can anyone help with the correct syntax?

<init>
<eval token="relstart_time">strftime(relative_time(now(), -7d@h), "%m/%d/%Y %T")</eval>
<eval token="relend_time">strftime(now(),"%m/%d/%Y %T")</eval>
</init>

niketn · ‎08-25-2020

You can refer to one of my previous answer on similar lines which uses Independent search as one of the option to set the required token.

https://community.splunk.com/t5/Archive/Running-one-of-two-searches-based-on-time-picker-selection/t...

Following is a run anywhere example based on your question that you can try and confirm!

<form>
  <label>Time input tokens</label>
  <fieldset submitButton="false">
    <input type="time" searchWhenChanged="true" token="time_token">
        <label>Time Range</label>
        <default>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </default>
        <change>
          <eval token="relstart_time"></eval>
          <eval token="relend_time"></eval>
         </change>   
    </input>
  </fieldset>
  <!-- Independent search to perform complex Time token conversions using SPL -->
  <search>
    <query>| makeresults 
| addinfo 
| eval info_min_time=replace(info_min_time,"\.\d+",""), 
info_max_time=replace(info_max_time,"\.\d+","") 
| eval startTimeDelta="-".tostring(now()-info_min_time),
endTimeDelta="-".tostring(now()-info_max_time) 
| eval relstart_time=strftime(relative_time(now(),startTimeDelta),"%m/%d/%Y %T"),
relend_time=strftime(relative_time(now(),endTimeDelta),"%m/%d/%Y %T")
    </query>
    <earliest>$time_token.earliest$</earliest>
    <latest>$time_token.latest$</latest>
    <done>
      <set token="relstart_time">$result.relstart_time$</set>
      <set token="relend_time">$result.relend_time$</set>
    </done>
  </search>
  <row>
    <panel>
      <html>
        relstart_time: $relstart_time$<br></br>
        relend_time: $relend_time$
      </html>
    </panel>
  </row>
</form>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎08-25-2020

You can refer to one of my previous answer on similar lines which uses Independent search as one of the option to set the required token.

https://community.splunk.com/t5/Archive/Running-one-of-two-searches-based-on-time-picker-selection/t...

Following is a run anywhere example based on your question that you can try and confirm!

<form>
  <label>Time input tokens</label>
  <fieldset submitButton="false">
    <input type="time" searchWhenChanged="true" token="time_token">
        <label>Time Range</label>
        <default>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </default>
        <change>
          <eval token="relstart_time"></eval>
          <eval token="relend_time"></eval>
         </change>   
    </input>
  </fieldset>
  <!-- Independent search to perform complex Time token conversions using SPL -->
  <search>
    <query>| makeresults 
| addinfo 
| eval info_min_time=replace(info_min_time,"\.\d+",""), 
info_max_time=replace(info_max_time,"\.\d+","") 
| eval startTimeDelta="-".tostring(now()-info_min_time),
endTimeDelta="-".tostring(now()-info_max_time) 
| eval relstart_time=strftime(relative_time(now(),startTimeDelta),"%m/%d/%Y %T"),
relend_time=strftime(relative_time(now(),endTimeDelta),"%m/%d/%Y %T")
    </query>
    <earliest>$time_token.earliest$</earliest>
    <latest>$time_token.latest$</latest>
    <done>
      <set token="relstart_time">$result.relstart_time$</set>
      <set token="relend_time">$result.relend_time$</set>
    </done>
  </search>
  <row>
    <panel>
      <html>
        relstart_time: $relstart_time$<br></br>
        relend_time: $relend_time$
      </html>
    </panel>
  </row>
</form>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

toutla · ‎08-25-2020

Thanks, this was just what we needed!

How can I set the default value of 2 tokens during page load?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

How can I set the default value of 2 tokens during page load?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases