How to add Timewrap with Time Token on Dashboard?

cbiraris · ‎10-06-2022

Hi Team,

Is there any way to add TimeToken with timewrap on the dashboard.

I have a dashboard ready to display this week data to compare with last week data having timewrap with 7d.

But, I would like to add token to replace the 7d value as per choice.

Search query:

index=ABC sourcetype="xyz" data earliest= -14d@d latest= @s
| timechart span=15m partial=false count by data
| timewrap 7d series=short
|table _time, s0, s1
| rename s0 as this_week, s1 as last_week,

bowesmana · ‎10-06-2022

If you have an input on a dashboard that allows the user to choose an option you provide, then that will create a token, so you simply use that token in your SPL, e.g.

index=ABC sourcetype="xyz" data earliest= -14d@d latest= @s
| timechart span=15m partial=false count by data
| timewrap $wrap_token$ series=short
| table _time, s0, s1
| rename s0 as this_week, s1 as last_week,

however, there are some problems with your SPL in that when you are timecharting with a split by field, the field names are not S0 and s1, they are data_value_s0 etc, i.e. the value of your split 'data' field.

Also, if you are searching 14days and change the wrap period to 1d, then it will generate 14 values of s*.

What are you trying to achieve?

How to add Timewrap with Time Token on Dashboard?

chart

drilldown

panel

single value

timechart

token

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How to add Timewrap with Time Token on Dashboard?

Can’t make it to .conf25? Join us online!