Dashboards & Visualizations
Highlighted

How to add / subtract time for a chart panel from the selected time picker value on a dashboard?

New Member

I want to create a dashboard with two panels and a timepicker. One panel needs to show a chart according to the timepicker selection of the user and another panel with exactly the same data, but one week before. I tried substracting -7d from the timepicker tokens, but didn't succeed. After searching Splunk Answers, I came up with below, but now I am getting: Error in 'eval' command: The expression is malformed. Expected ), ut there are not brackets missing, so I tried adding quotes to the timepicker tokens, without success (no results are shown).

index=main source=X_monitor sourcetype=X_monitor 
earliest=[|gentimes start=-1 | eval t=relative_time($field1.earliest$,"-7d") | return $t]
latest=[|gentimes start=-1 | eval t=relative_time($field1.latest$,"-7d") | return $t]
|timechart count

field1 is my shared timepicker

Any suggestions would be appreciated.

0 Karma
Highlighted

Re: How to add / subtract time for a chart panel from the selected time picker value on a dashboard?

SplunkTrust
SplunkTrust

Assuming you're on 6.4, you can use the eval element in Simple XML: http://docs.splunk.com/Documentation/Splunk/6.4.1/Viz/PanelreferenceforSimplifiedXML#eval
Using that you can set a second token to something like relative_time($field1.earliest$, "-7d") and use that second token in your search. Make sure you cover all cases your time range picker can return.

0 Karma
Highlighted

Re: How to add / subtract time for a chart panel from the selected time picker value on a dashboard?

New Member

we are on 6.2.4, does anyone have any other suggestion?

0 Karma
Highlighted

Re: How to add / subtract time for a chart panel from the selected time picker value on a dashboard?

SplunkTrust
SplunkTrust

Upgrade to 6.4, many great things await - bugfixes, security patches, performance improvements, new features... there isn't any real reason not to upgrade.

0 Karma
Highlighted

Re: How to add / subtract time for a chart panel from the selected time picker value on a dashboard?

New Member

Hi Martin,
coming back to this one after a lot of time.
We are on 6.6. at the moment and I tried your suggestions, here's the first part of the dashboard:

CPSimpactassessment

<input type="time" token="incTime" searchWhenChanged="false">
  <label>Incident time</label>
  <default>
    <earliest>-60m@m</earliest>
    <latest>now</latest>
  </default>
  <change>
    <eval token="1weekearliest">relative_time($incTime.earliest$, "-7d")</eval>
    <eval token="1weeklatest">relative_time($incTime.latest$, "-7d")</eval>
  </change>
</input>

...

further down I am using $1weekearliest$ and $1weeklatest$ as the time token for a panel but the panel seems to show "all time"
I am also displaying the tokens in the panel title but they both appear as NaN.
What have I done wrong?

0 Karma
Highlighted

Re: How to add / subtract time for a chart panel from the selected time picker value on a dashboard?

SplunkTrust
SplunkTrust

Two things. First, apparently you need $earliest$ instead of $field.earliest$ - the former gets you the value that is about to change, the latter will get you the old value.

Second and more importantly, relativetime expects an epoch as its first parameter. It'll work if you define specific points in time, it won't work if you define relative time strings. For those you'd have to do something like `relativetime(relative_time(time(), "$earliest$"), "-7d")`... handling all the options can be tricky. You can get epoch numbers for points in time, relative time strings, "now", null, 0, "rt-30m", "rt", maybe more.

0 Karma
Highlighted

Re: How to add / subtract time for a chart panel from the selected time picker value on a dashboard?

SplunkTrust
SplunkTrust

Try like this for your second search

index=main source=X_monitor sourcetype=X_monitor [|gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-7d") | eval latest=relative_time(info_max_time,"-7d") | table earliest latest | format "" "" "" "" "" ""]
|timechart count

More information on addinfo command here: http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Addinfo

View solution in original post

0 Karma
Highlighted

Re: How to add / subtract time for a chart panel from the selected time picker value on a dashboard?

New Member

Thanks Somesoni2, this works like a charm for me. 🙂

0 Karma
Highlighted

Re: How to add / subtract time for a chart panel from the selected time picker value on a dashboard?

New Member

This does not work for me, the gentimes just gives zero results. Anything I am missing ? Please help ! Thank you 🙂

0 Karma
Highlighted

Re: How to add / subtract time for a chart panel from the selected time picker value on a dashboard?

SplunkTrust
SplunkTrust

What's your full query? The gentimes here is just to generate a sample row without hitting any of the indexes. If you're using 6.3+, you can use | makeresults instead of | gentimes start=-1.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.