I want to create a dashboard with two panels and a timepicker. One panel needs to show a chart according to the timepicker selection of the user and another panel with exactly the same data, but one week before. I tried substracting
-7d from the timepicker tokens, but didn't succeed. After searching Splunk Answers, I came up with below, but now I am getting:
Error in 'eval' command: The expression is malformed. Expected ), ut there are not brackets missing, so I tried adding quotes to the timepicker tokens, without success (no results are shown).
index=main source=X_monitor sourcetype=X_monitor earliest=[|gentimes start=-1 | eval t=relative_time($field1.earliest$,"-7d") | return $t] latest=[|gentimes start=-1 | eval t=relative_time($field1.latest$,"-7d") | return $t] |timechart count
field1 is my shared timepicker
Any suggestions would be appreciated.
Assuming you're on 6.4, you can use the eval element in Simple XML: http://docs.splunk.com/Documentation/Splunk/6.4.1/Viz/PanelreferenceforSimplifiedXML#eval
Using that you can set a second token to something like
relative_time($field1.earliest$, "-7d") and use that second token in your search. Make sure you cover all cases your time range picker can return.
Upgrade to 6.4, many great things await - bugfixes, security patches, performance improvements, new features... there isn't any real reason not to upgrade.
coming back to this one after a lot of time.
We are on 6.6. at the moment and I tried your suggestions, here's the first part of the dashboard:
<input type="time" token="incTime" searchWhenChanged="false"> <label>Incident time</label> <default> <earliest>-60m@m</earliest> <latest>now</latest> </default> <change> <eval token="1weekearliest">relative_time($incTime.earliest$, "-7d")</eval> <eval token="1weeklatest">relative_time($incTime.latest$, "-7d")</eval> </change> </input>
further down I am using $1weekearliest$ and $1weeklatest$ as the time token for a panel but the panel seems to show "all time"
I am also displaying the tokens in the panel title but they both appear as NaN.
What have I done wrong?
Two things. First, apparently you need
$earliest$ instead of
$field.earliest$ - the former gets you the value that is about to change, the latter will get you the old value.
Second and more importantly, relativetime expects an epoch as its first parameter. It'll work if you define specific points in time, it won't work if you define relative time strings. For those you'd have to do something like `relativetime(relative_time(time(), "$earliest$"), "-7d")`... handling all the options can be tricky. You can get epoch numbers for points in time, relative time strings, "now", null, 0, "rt-30m", "rt", maybe more.
Try like this for your second search
index=main source=X_monitor sourcetype=X_monitor [|gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-7d") | eval latest=relative_time(info_max_time,"-7d") | table earliest latest | format "" "" "" "" "" ""] |timechart count
More information on addinfo command here: http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Addinfo
This does not work for me, the gentimes just gives zero results. Anything I am missing ? Please help ! Thank you 🙂
What's your full query? The gentimes here is just to generate a sample row without hitting any of the indexes. If you're using 6.3+, you can use
| makeresults instead of
| gentimes start=-1.