Dashboards & Visualizations

How do I change the earliest and latest based on another token?

oangarita
Explorer

Hello,

This is similar to https://answers.splunk.com/answers/506314/in-my-dashboard-how-to-set-the-default-latest-time.html#an..., but I'm trying to change the earliest and latest in based on another token. I've been trying things like this:

<change>
  <eval token="tperiodo2earliest">case(isnum('earliest'), earliest, earliest="now", Now(), 1=1, relative_time(Now(), 'earliest'))</eval>
  <eval token="tperiodo1e">relative_time(earliest,"-1y")</eval>
  <eval token="tperiodo1l">relative_time(latest,"-1y")</eval>

And then put it in the other selector:

<label>Periodo Comparacion</label>
  <default>
    <earliest>$tperiodo1e$</earliest>
    <latest>$tperiodo1l$</latest>
  </default>

I'm also trying put the: tperiodo2.earliest and tperiodo2.latest

But not work for me, you have any idea?.

Thanks a lot!

0 Karma

oangarita
Explorer

Hi niketnilay,

I need that the time can be used it in a kv store search:

Something like this ( Im using the first search that you send to me to assign the values for the tperiodo1 token, I'm omitting that part in this part of code) :

<panel> 
<input type="time" token="tperiodo2" searchWhenChanged="true">
        <label>Periodo Analisis</label>
        <default>
          <earliest>-1month@month</earliest>
          <latest>@month</latest>
        </default>
        <change>
          <eval token="tperiodo2earliest">case(isnum('earliest'), earliest, earliest="now", Now(), 1=1, relative_time(Now(), 'earliest'))</eval>
          <eval token="tperiodo2latest">case(isnum('latest'), latest, latest="now", Now(), 1=1, relative_time(Now(), 'latest'))</eval>
          <eval token="tperiodo2earliestl">case(isnum('earliest'), strftime(earliest,"%d-%b-%Y %I:%M %p"), earliest="now", strftime(Now(),"%d-%b-%Y %I:%M %p"), 1=1, strftime(relative_time(Now(), 'earliest'),"%d-%b-%Y %I:%M %p"))</eval>
          <eval token="tperiodo2latestl">case(isnum('latest'), strftime(latest,"%d-%b-%Y %I:%M %p"), latest="now", strftime(Now(),"%d-%b-%Y %I:%M %p"), 1=1, strftime(relative_time(Now(), 'latest'),"%d-%b-%Y %I:%M %p"))</eval>
        </change>
      </input>
      </panel>
      <panel depends="$tiempo1$">
      <input type="time" token="tperiodo1" searchWhenChanged="false">
        <label>Periodo Comparacion</label>
        <default>
          <earliest>-13mon@mon</earliest>
          <latest>-1y@mon</latest>
        </default>
        <change>
        <condition match="$tperiodo2$!=0" >
          <set token="tperiodo1.earliest">$tperiodo1e$</set>
          <set token="tperiodo1.latest">$tperiodo1l$</set>
        </condition>
        </change>
        <change>
           <eval token="tperiodo1earliest">case(isnum('earliest'), earliest, earliest="now", Now(), 1=1, relative_time(Now(), 'earliest'))</eval>
          <eval token="tperiodo1latest">case(isnum('latest'), latest, latest="now", Now(), 1=1, relative_time(Now(), 'latest'))</eval>
        </change>
        </input>
      </panel>
      <panel>

Or maybe something like this:

<panel>
      <table>
        <search id="tiempoc">
          <query>| makeresults
 | addinfo
 | eval earliestEpoch=relative_time(info_min_time,"-1y")
 | eval latestEpoch=relative_time(info_max_time,"-1y")
 | eval earliestString=strftime(earliestEpoch,"%d-%b-%Y %I:%M %p")
 | eval latestString=strftime(latestEpoch,"%d-%b-%Y %I:%M %p")
 </query>
 <done>
    <set token="tperiodo1e">$result.earliestEpoch$</set>
       <set token="tperiodo1l">$result.latestEpoch$</set>
       <set token="tperiodo1earliestl">$result.earliestString$</set>
       <set token="tperiodo1latestl">$result.latestString$</set>

----- 
Here is where Im Trying to give it the format to use it in the kvstore search:


      <eval token="tperiodo1earliest">case(isnum('$tperiodo1e$'), $tperiodo1e$, $tperiodo1e$="now", Now(), 1=1, relative_time(Now(), '$tperiodo1e$'))</eval>
       <eval token="tperiodo1latest">case(isnum('$tperiodo1l$'), $tperiodo1l$, $tperiodo1l$="now", Now(), 1=1, relative_time(Now(), '$tperiodo1l$'))
      </eval>

-----

 </done>
          <earliest>$tperiodo2.earliest$</earliest>
          <latest>$tperiodo2.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
0 Karma

niketn
Legend

@oangarita sorry I misunderstood your question.
Your question has two parts:
1) Based on your first Time input's default value you need to have your second time picker's default value.
2) When first time picker changes, it should change second time picker values as well.

For the first one with default value tokens can not be used as default can be set only one time as string values not tokens. You would need the following:

  <input type="time" token="tokTime1" searchWhenChanged="true">
    <label></label>
    <default>
      <earliest>-1mon@mon</earliest>
      <latest>@mon</latest>
    </default>
  </input>
  <input type="time" token="tokTime2" searchWhenChanged="true">
    <label></label>
    <default>
      <earliest>-1mon@mon-1y</earliest>
      <latest>@mon-1y</latest>
    </default>
  </input>

For the second one if you want the changes to first time picker to calculate previous year's earliest and latest time and assign to the second time picker, you can use the following to set the form tokens for second time input in the independent search:

  <set token="form.tokTime2.earliest">$result.earliestEpoch$</set>
  <set token="form.tokTime2.latest">$result.latestEpoch$</set>

Following is the Run any dashboard example for you to try out and confirm. NO JS REQUIRED 🙂 !

<form>
  <label>Time Picker Tokens</label>
  <!-- Independent search to set the Time Inputs -->
  <search>
    <query>| makeresults
| addinfo
| eval earliestEpoch=relative_time(info_min_time,"-1y")
| eval latestEpoch=relative_time(info_max_time,"-1y")
| eval earliestString=strftime(earliestEpoch,"%d-%b-%Y %I:%M %p")
| eval latestString=strftime(latestEpoch,"%d-%b-%Y %I:%M %p")
    </query>
    <done>
      <set token="tokLastYearEarliestEpoch">$result.earliestEpoch$</set>
      <set token="tokLastYearLatestEpoch">$result.latestEpoch$</set>
      <set token="tokLastYearEarliestString">$result.earliestString$</set>
      <set token="tokLastYearLatestString">$result.latestString$</set>
      <set token="form.tokTime2.earliest">$result.earliestEpoch$</set>
      <set token="form.tokTime2.latest">$result.latestEpoch$</set>
    </done>
    <earliest>$tokTime1.earliest$</earliest>
    <latest>$tokTime1.latest$</latest>
  </search>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <input type="time" token="tokTime1" searchWhenChanged="true">
        <label></label>
        <default>
          <earliest>-1mon@mon</earliest>
          <latest>@mon</latest>
        </default>
      </input>
      <input type="time" token="tokTime2" searchWhenChanged="true">
        <label></label>
        <default>
          <earliest>-1mon@mon-1y</earliest>
          <latest>@mon-1y</latest>
        </default>
      </input>
      <html>
        <div>
          <p>tokLastYearEarliestEpoch: $tokLastYearEarliestEpoch$</p>
          <p>tokLastYearLatestEpoch: $tokLastYearLatestEpoch$</p>
          <p>tokLastYearEarliestString: $tokLastYearEarliestString$</p>
          <p>tokLastYearLatestString: $tokLastYearLatestString$</p>
        </div>
      </html>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@oangarita which input is the <change> event handler associated with? What is the second input where you want to pass on the value?

Is your use case to take earliest and latest time from one Time Picker input and pass on the same to another time picker input's default values after moving back earliest and latest by 1 year? Do you need to show the second time picker or can it remain as hidden tokens in your dashboard?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

oangarita
Explorer

Hi, Sorry I delete the first row.

I have one input:

    <label>Periodo Analisis</label>
    <default>
      <earliest>-1month@month</earliest>
      <latest>@month</latest>
    </default>
    <change>
      <eval token="tperiodo2earliest">case(isnum('earliest'), earliest, earliest="now", Now(), 1=1, relative_time(Now(), 'earliest'))</eval>
      <eval token="tperiodo2latest">case(isnum('latest'), latest, latest="now", Now(), 1=1, relative_time(Now(), 'latest'))</eval>
      <eval token="tperiodo2earliestl">case(isnum('earliest'), strftime(earliest,"%d-%b-%Y %I:%M %p"), earliest="now", strftime(Now(),"%d-%b-%Y %I:%M %p"), 1=1, strftime(relative_time(Now(), 'earliest'),"%d-%b-%Y %I:%M %p"))</eval>
      <eval token="tperiodo2latestl">case(isnum('latest'), strftime(latest,"%d-%b-%Y %I:%M %p"), latest="now", strftime(Now(),"%d-%b-%Y %I:%M %p"), 1=1, strftime(relative_time(Now(), 'latest'),"%d-%b-%Y %I:%M %p"))</eval>

And I want take that same time but with a year earlier and pass that to another input.

So I think it should be something like this:

    <label>Periodo Analisis</label>
    <default>
      <earliest>-1month@month</earliest>
      <latest>@month</latest>
    </default>
    <change>
   <eval token="tperiodo1e">relative_time('earliest',"-1y")</eval>
   <eval token="tperiodo1l">relative_time('latest',"-1y")</eval>
      <eval token="tperiodo2earliest">case(isnum('earliest'), earliest, earliest="now", Now(), 1=1, relative_time(Now(), 'earliest'))</eval>
      <eval token="tperiodo2latest">case(isnum('latest'), latest, latest="now", Now(), 1=1, relative_time(Now(), 'latest'))</eval>
      <eval token="tperiodo2earliestl">case(isnum('earliest'), strftime(earliest,"%d-%b-%Y %I:%M %p"), earliest="now", strftime(Now(),"%d-%b-%Y %I:%M %p"), 1=1, strftime(relative_time(Now(), 'earliest'),"%d-%b-%Y %I:%M %p"))</eval>
      <eval token="tperiodo2latestl">case(isnum('latest'), strftime(latest,"%d-%b-%Y %I:%M %p"), latest="now", strftime(Now(),"%d-%b-%Y %I:%M %p"), 1=1, strftime(relative_time(Now(), 'latest'),"%d-%b-%Y %I:%M %p"))</eval>

And then put it in the other selector:

 <label>Periodo Comparacion</label>
   <default>
     <earliest>$tperiodo1e$</earliest>
     <latest>$tperiodo1l$</latest>
   </default>

      <eval token="tperiodo1earliest">case(isnum('earliest'), earliest, earliest="now", Now(), 1=1, relative_time(Now(), 'earliest'))</eval>
      <eval token="tperiodo1latest">case(isnum('latest'), latest, latest="now", Now(), 1=1, relative_time(Now(), 'latest'))</eval>
      <eval token="tperiodo1earliestl">case(isnum('earliest'), strftime(earliest,"%d-%b-%Y %I:%M %p"), earliest="now", strftime(Now(),"%d-%b-%Y %I:%M %p"), 1=1, strftime(relative_time(Now(), 'earliest'),"%d-%b-%Y %I:%M %p"))</eval>
      <eval token="tperiodo1latestl">case(isnum('latest'), strftime(latest,"%d-%b-%Y %I:%M %p"), latest="now", strftime(Now(),"%d-%b-%Y %I:%M %p"), 1=1, strftime(relative_time(Now(), 'latest'),"%d-%b-%Y %I:%M %p"))</eval></change>

But is not worwing good.

And I have another peculiarity, that I have to give it the format so I can search later in a KVStore.

Yes Im showing the time thats why I give it the format wiht strftime.

0 Karma

niketn
Legend

@oangarita you can use independent search to set the earliest and latest tokens for selected time range for last year. However, the tokens can not be directly assigned as default earliest and latest for second time picker input as the other time picker will be rendered before the tokens are evaluated.

If you really want the second time picker input, I would think that would be possible through Splunk JS to render after the tokens are set. Or else use <html> time inputs with Simple XML JS extension to set the tokens as default value. In either case it would require JavaScript.

Following is a run anywhere example which sets the earliest and latest to same time selection as time input but for last year. This example however, does not assign the tokens to another dependent time picker with default time.

<form>
  <label>Time Picker Tokens</label>
  <!-- Independent search to set the Time Inputs -->
  <search>
    <query>| makeresults
| addinfo
| eval earliestEpoch=relative_time(info_min_time,"-1y")
| eval latestEpoch=relative_time(info_max_time,"-1y")
| eval earliestString=strftime(earliestEpoch,"%d-%b-%Y %I:%M %p")
| eval latestString=strftime(latestEpoch,"%d-%b-%Y %I:%M %p")
    </query>
    <done>
      <set token="tokLastYearEarliestEpoch">$result.earliestEpoch$</set>
      <set token="tokLastYearLatestEpoch">$result.latestEpoch$</set>
      <set token="tokLastYearEarliestString">$result.earliestString$</set>
      <set token="tokLastYearLatestString">$result.latestString$</set>
    </done>
    <earliest>$tokTime1.earliest$</earliest>
    <latest>$tokTime1.latest$</latest>
  </search>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <input type="time" token="tokTime1" searchWhenChanged="true">
        <label></label>
        <default>
          <earliest>-1mon@mon</earliest>
          <latest>@mon</latest>
        </default>
      </input>
      <html>
        <div>
          <p>tokLastYearEarliestEpoch: $tokLastYearEarliestEpoch$</p>
          <p>tokLastYearLatestEpoch: $tokLastYearLatestEpoch$</p>
          <p>tokLastYearEarliestString: $tokLastYearEarliestString$</p>
          <p>tokLastYearLatestString: $tokLastYearLatestString$</p>
        </div>
      </html>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

oangarita
Explorer

Hi @niketnilay thanks a lot for your help, but I have a question, how a pass the value for the tokLastYearEarliestEpoch and tokLastYearLatestEpoch to my input time? doesn't have to be the default value, is ther a way or I have to do the Splunk JS or html that you said to me?.

Or the other way that Im'm trying is to format the time so I can search later in the kvstore, but it's not working, instead it is placing the current date.

<panel>
      <table>
        <search id="tiepoc">
          <query>| makeresults
 | addinfo
 | eval earliestEpoch=relative_time(info_min_time,"-1y")
 | eval latestEpoch=relative_time(info_max_time,"-1y")
 | eval earliestString=strftime(earliestEpoch,"%d-%b-%Y %I:%M %p")
 | eval latestString=strftime(latestEpoch,"%d-%b-%Y %I:%M %p")
 </query>
 <done>
    <set token="tperiodo1e">$result.earliestEpoch$</set>
       <set token="tperiodo1l">$result.latestEpoch$</set>
       <set token="tperiodo1earliestl">$result.earliestString$</set>
       <set token="tperiodo1latestl">$result.latestString$</set>
      <eval token="tperiodo1earliest">case(isnum('$tperiodo1e$'), $tperiodo1e$, $tperiodo1e$="now", Now(), 1=1, relative_time(Now(), '$tperiodo1e$'))</eval>
       <eval token="tperiodo1latest">case(isnum('$tperiodo1l$'), $tperiodo1l$, $tperiodo1l$="now", Now(), 1=1, relative_time(Now(), '$tperiodo1l$'))
      </eval>
 </done>
          <earliest>$tperiodo2.earliest$</earliest>
          <latest>$tperiodo2.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>

Regards,
Osmary

PD: I don'n know what happend but in my xml is deleting the part of set token

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Converted from an answer to a question.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...