How to add Timewrap with Time Token on Dashboard?

cbiraris · ‎10-06-2022

Hi Team,

Is there any way to add TimeToken with timewrap on the dashboard.

I have a dashboard ready to display this week data to compare with last week data having timewrap with 7d.

But, I would like to add token to replace the 7d value as per choice.

Search query:

index=ABC sourcetype="xyz" data earliest= -14d@d latest= @s
| timechart span=15m partial=false count by data
| timewrap 7d series=short
|table _time, s0, s1
| rename s0 as this_week, s1 as last_week,

bowesmana · ‎10-06-2022

If you have an input on a dashboard that allows the user to choose an option you provide, then that will create a token, so you simply use that token in your SPL, e.g.

index=ABC sourcetype="xyz" data earliest= -14d@d latest= @s
| timechart span=15m partial=false count by data
| timewrap $wrap_token$ series=short
| table _time, s0, s1
| rename s0 as this_week, s1 as last_week,

however, there are some problems with your SPL in that when you are timecharting with a split by field, the field names are not S0 and s1, they are data_value_s0 etc, i.e. the value of your split 'data' field.

Also, if you are searching 14days and change the wrap period to 1d, then it will generate 14 values of s*.

What are you trying to achieve?

How to add Timewrap with Time Token on Dashboard?

chart

drilldown

panel

single value

timechart

token

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?