Dashboards & Visualizations
Highlighted

How do you change time tokens when comparing two time ranges?

I'm trying to compare two time ranges in one chart like the way it was taught in this article: https://www.splunk.com/blog/2012/02/19/compare-two-time-ranges-in-one-report.html

My question is how should I change the query so that I can display it in a dashboard and be able to change the time range (eg display the two time range 3 hours ago and last week same time 3 hours ago)?

Ex. the time token is called "bandwidthtimerange", and my query will be:

index=xxx earliest=$bandwidth_time_range.earliest$ latest=$bandwidth_time_range.latest$  |eval period="today"|  append [search index=xxx earliest=$bandwidth_time_range.earliest$-7d@m latest=$bandwidth_time_range.latest$-7d@m  | eval period="last_week"   | eval _time=_time+(60*60*24*7)]  | timechart span=1m sum(bytes) by period

The panel didn't return a timechart. Instead it says "invalid value "now-7d@m" for time term "latest""

Is there any thing I can do to link the query and the time picker together?

0 Karma
Highlighted

Re: How do you change time tokens when comparing two time ranges?

Communicator

Hello,

I had a query where I search the same data 1 week ago for 1 hour.

....
| join type=outer _time
[ search sourcetype=logs type=traffic service=HTTP* earliest=-1w@-1h latest=-1w | ....

Maybe you need to change your tokens to earliest=-1w@$bandwidthtimerange.earliest$ latest=-1w@$bandwidthtimerange.latest$
but I am not sure if it will work because of data time format.

0 Karma
Highlighted

Re: How do you change time tokens when comparing two time ranges?

Legend

@everynameIwantistaken if you want to substitute time ranges ( i.e. current time range and time range 7 days back) based on Time picker, you can refer to following answer which sets the time token based on independent search with either addinfo or eval to set token: https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

The following run anywhere example uses addinfo to evaluate the earliest and latest time for current time and 7 days back. PS: For All Time the latest time will be +Infinity by addinfo command hence the same is converted to present time using now() function.

Please try out and confirm!

alt text

Following is the Simple XML Dashboard code for run anywhere example.

<form>
  <label>Time range based on Time Token</label>
  <!-- Set Token based on Time Picker -->
  <search>
    <query>| makeresults 
| addinfo
| eval info_max_time=if(info_max_time=="+Infinity",now(),info_max_time)
| eval lastWeekEarliestEpoch=if(info_min_time=0,"0",relative_time(info_min_time,"-7d"))
| eval lastWeekLatestEpoch=relative_time(info_max_time,"-7d")
    </query>
    <earliest>$tokTime.earliest$</earliest>
    <latest>$tokTime.latest$</latest>
    <done>
      <set token="tokCurrentEarlistEpoch">$result.info_min_time$</set>
      <set token="tokCurrentLatestEpoch">$result.info_max_time$</set>
      <set token="tokLastWeekEarliestEpoch">$result.lastWeekEarliestEpoch$</set>
      <set token="tokLastWeekLatestEpoch">$result.lastWeekLatestEpoch$</set>
    </done>
  </search>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| fields - _time
| eval CurrentEarlistEpoch=$tokCurrentEarlistEpoch$, CurrentLatestEpoch=$tokCurrentLatestEpoch$, LastWeekEarliestEpoch=$tokLastWeekEarliestEpoch$, LastWeekLatestEpoch=$tokLastWeekLatestEpoch$
| fieldformat CurrentEarlistEpoch=strftime(CurrentEarlistEpoch,"%Y-%m-%d %H:%M:%S")
| fieldformat CurrentLatestEpoch=strftime(CurrentLatestEpoch,"%Y-%m-%d %H:%M:%S")
| fieldformat LastWeekEarliestEpoch=strftime(LastWeekEarliestEpoch,"%Y-%m-%d %H:%M:%S")
| fieldformat LastWeekLatestEpoch=strftime(LastWeekLatestEpoch,"%Y-%m-%d %H:%M:%S")</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <input type="time" token="tokTime" searchWhenChanged="true">
        <label></label>
        <default>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
        </default>
      </input>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=INFO earliest=$tokCurrentEarlistEpoch$ latest=$tokCurrentLatestEpoch$ 
| timechart count as "Current Time Selected" 
| appendcols 
    [ search index=_internal sourcetype=splunkd log_level=INFO earliest=$tokLastWeekEarliestEpoch$ latest=$tokLastWeekLatestEpoch$ 
    | timechart count as "7 Days Prior" 
    | eval _time=relative_time(_time,"+7d")]</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
</form>

View solution in original post

Highlighted

Re: How do you change time tokens when comparing two time ranges?

thank you very much, this works perfectly

Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.