Dashboards & Visualizations

How do you change time tokens when comparing two time ranges?

everynameIwanti
Explorer

I'm trying to compare two time ranges in one chart like the way it was taught in this article: https://www.splunk.com/blog/2012/02/19/compare-two-time-ranges-in-one-report.html

My question is how should I change the query so that I can display it in a dashboard and be able to change the time range (eg display the two time range 3 hours ago and last week same time 3 hours ago)?

Ex. the time token is called "bandwidth_time_range", and my query will be:

index=xxx earliest=$bandwidth_time_range.earliest$ latest=$bandwidth_time_range.latest$  |eval period="today"|  append [search index=xxx earliest=$bandwidth_time_range.earliest$-7d@m latest=$bandwidth_time_range.latest$-7d@m  | eval period="last_week"   | eval _time=_time+(60*60*24*7)]  | timechart span=1m sum(bytes) by period

The panel didn't return a timechart. Instead it says "invalid value "now-7d@m" for time term "latest""

Is there any thing I can do to link the query and the time picker together?

0 Karma
1 Solution

niketn
Legend

@everynameIwantistaken if you want to substitute time ranges ( i.e. current time range and time range 7 days back) based on Time picker, you can refer to following answer which sets the time token based on independent search with either addinfo or eval to set token: https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

The following run anywhere example uses addinfo to evaluate the earliest and latest time for current time and 7 days back. PS: For All Time the latest time will be +Infinity by addinfo command hence the same is converted to present time using now() function.

Please try out and confirm!

alt text

Following is the Simple XML Dashboard code for run anywhere example.

<form>
  <label>Time range based on Time Token</label>
  <!-- Set Token based on Time Picker -->
  <search>
    <query>| makeresults 
| addinfo
| eval info_max_time=if(info_max_time=="+Infinity",now(),info_max_time)
| eval lastWeekEarliestEpoch=if(info_min_time=0,"0",relative_time(info_min_time,"-7d"))
| eval lastWeekLatestEpoch=relative_time(info_max_time,"-7d")
    </query>
    <earliest>$tokTime.earliest$</earliest>
    <latest>$tokTime.latest$</latest>
    <done>
      <set token="tokCurrentEarlistEpoch">$result.info_min_time$</set>
      <set token="tokCurrentLatestEpoch">$result.info_max_time$</set>
      <set token="tokLastWeekEarliestEpoch">$result.lastWeekEarliestEpoch$</set>
      <set token="tokLastWeekLatestEpoch">$result.lastWeekLatestEpoch$</set>
    </done>
  </search>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| fields - _time
| eval CurrentEarlistEpoch=$tokCurrentEarlistEpoch$, CurrentLatestEpoch=$tokCurrentLatestEpoch$, LastWeekEarliestEpoch=$tokLastWeekEarliestEpoch$, LastWeekLatestEpoch=$tokLastWeekLatestEpoch$
| fieldformat CurrentEarlistEpoch=strftime(CurrentEarlistEpoch,"%Y-%m-%d %H:%M:%S")
| fieldformat CurrentLatestEpoch=strftime(CurrentLatestEpoch,"%Y-%m-%d %H:%M:%S")
| fieldformat LastWeekEarliestEpoch=strftime(LastWeekEarliestEpoch,"%Y-%m-%d %H:%M:%S")
| fieldformat LastWeekLatestEpoch=strftime(LastWeekLatestEpoch,"%Y-%m-%d %H:%M:%S")</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <input type="time" token="tokTime" searchWhenChanged="true">
        <label></label>
        <default>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
        </default>
      </input>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=INFO earliest=$tokCurrentEarlistEpoch$ latest=$tokCurrentLatestEpoch$ 
| timechart count as "Current Time Selected" 
| appendcols 
    [ search index=_internal sourcetype=splunkd log_level=INFO earliest=$tokLastWeekEarliestEpoch$ latest=$tokLastWeekLatestEpoch$ 
    | timechart count as "7 Days Prior" 
    | eval _time=relative_time(_time,"+7d")]</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@everynameIwantistaken if you want to substitute time ranges ( i.e. current time range and time range 7 days back) based on Time picker, you can refer to following answer which sets the time token based on independent search with either addinfo or eval to set token: https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

The following run anywhere example uses addinfo to evaluate the earliest and latest time for current time and 7 days back. PS: For All Time the latest time will be +Infinity by addinfo command hence the same is converted to present time using now() function.

Please try out and confirm!

alt text

Following is the Simple XML Dashboard code for run anywhere example.

<form>
  <label>Time range based on Time Token</label>
  <!-- Set Token based on Time Picker -->
  <search>
    <query>| makeresults 
| addinfo
| eval info_max_time=if(info_max_time=="+Infinity",now(),info_max_time)
| eval lastWeekEarliestEpoch=if(info_min_time=0,"0",relative_time(info_min_time,"-7d"))
| eval lastWeekLatestEpoch=relative_time(info_max_time,"-7d")
    </query>
    <earliest>$tokTime.earliest$</earliest>
    <latest>$tokTime.latest$</latest>
    <done>
      <set token="tokCurrentEarlistEpoch">$result.info_min_time$</set>
      <set token="tokCurrentLatestEpoch">$result.info_max_time$</set>
      <set token="tokLastWeekEarliestEpoch">$result.lastWeekEarliestEpoch$</set>
      <set token="tokLastWeekLatestEpoch">$result.lastWeekLatestEpoch$</set>
    </done>
  </search>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| fields - _time
| eval CurrentEarlistEpoch=$tokCurrentEarlistEpoch$, CurrentLatestEpoch=$tokCurrentLatestEpoch$, LastWeekEarliestEpoch=$tokLastWeekEarliestEpoch$, LastWeekLatestEpoch=$tokLastWeekLatestEpoch$
| fieldformat CurrentEarlistEpoch=strftime(CurrentEarlistEpoch,"%Y-%m-%d %H:%M:%S")
| fieldformat CurrentLatestEpoch=strftime(CurrentLatestEpoch,"%Y-%m-%d %H:%M:%S")
| fieldformat LastWeekEarliestEpoch=strftime(LastWeekEarliestEpoch,"%Y-%m-%d %H:%M:%S")
| fieldformat LastWeekLatestEpoch=strftime(LastWeekLatestEpoch,"%Y-%m-%d %H:%M:%S")</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <input type="time" token="tokTime" searchWhenChanged="true">
        <label></label>
        <default>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
        </default>
      </input>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=INFO earliest=$tokCurrentEarlistEpoch$ latest=$tokCurrentLatestEpoch$ 
| timechart count as "Current Time Selected" 
| appendcols 
    [ search index=_internal sourcetype=splunkd log_level=INFO earliest=$tokLastWeekEarliestEpoch$ latest=$tokLastWeekLatestEpoch$ 
    | timechart count as "7 Days Prior" 
    | eval _time=relative_time(_time,"+7d")]</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

everynameIwanti
Explorer

thank you very much, this works perfectly

osakachan
Communicator

Hello,

I had a query where I search the same data 1 week ago for 1 hour.

....
| join type=outer _time
[ search sourcetype=logs type=traffic service=HTTP* earliest=-1w@-1h latest=-1w | ....

Maybe you need to change your tokens to earliest=-1w@$bandwidth_time_range.earliest$ latest=-1w@$bandwidth_time_range.latest$
but I am not sure if it will work because of data time format.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...