Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to add timerange values to panel content?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to add timerange values to panel content?
Has anyone successfully taken the time range values from a timerange picker and passed the human readable format into the title or contents? For example I have a TRP and a single value panel that shows a simple count and then the after label is: "between $time.earliest$ and $time.latest$". This effectively just passes the range i.e. for last 7 days it would read "between -7d@h and now but" would like to see the actual dates. Any ideas on how to do this in simple xml?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I use a single value panel to do this, and have the search results display the earliest and latest search times. Try adding this to your dashboard, it should run anywhere:
...
<row>
<panel>
<single>
<searchstring>|stats count | addinfo | eval startDate=strftime(info_min_time,"%m/%d/%y @ %l:%M%p") | eval endDate=strftime(info_max_time,"%m/%d/%y @ %l:%M%p") | eval searchTime=startDate+" to "+endDate | stats values(searchTime)</searchstring>
<earliestTime>$earliest$</earliestTime>
<latestTime>$latest$</latestTime>
<option name="underLabel">Is the time period of events in this search</option>
</single>
</panel>
</row>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See if this works for you. (run anywhere example)
<form>
<label>ErrorWarningDistribution</label>
<fieldset submitButton="False">
<input type="time">
<default>Yesterday</default>
</input>
<input type="dropdown" token="title" id="field2">
<selectFirstChoice>true</selectFirstChoice>
<populatingSearch fieldForValue="title" fieldForLabel="title">
<![CDATA[
| gentimes start=-1 | addinfo | eval title="between '".strftime(info_min_time,"%F %T")."' and '".strftime(info_max_time,"%F %T")."'"]]>
</populatingSearch>
</input>
<html id="field3">
<style>
.input#field2
{
display:none;
}
</style>
</html>
</fieldset>
<row>
<panel>
<chart>
<title>Showing report to period $title$</title>
<searchString>index=_internal log_level=*
| chart count(eval(log_level="ERROR")) as ERROR
count(eval(log_level="WARN")) as WARNING over date_mday by sourcetype</searchString>
<option name="charting.chart">column</option>
</chart>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Somesoni2 were you ever able to get the issue fixed with it not always updating when the time is changed? What you have here is exactly what I need but I need to have it fully working. Also another note is that this seems to have broken in 6.2.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess this approach has a issue that the title is not getting updated after changing the time. I will see if I can get that part working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am on 6.1.2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What version of Splunk are you using?
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
