Re: How to automatically set earliest and latest t...

bollam · ‎02-24-2020

Hello,

I have a dashboard which contains couple of panels and it receives events once in a month for a year calendar.
I have specific dates for each months.
Let's say for the current month it has events on 10-02-2020 and earliest is "02/10/2020:00:00:00 and latest is "02/10/2020:24:00:00", In the next month it will be on 20-03-2020, In such a way every month it has events on a specific day.
When I load the dashboard the earliest and latest values should be set for the current month on the day when events arrived. When the next month(March) events arrives the earliest and latest should be set as earliest = "03/20/2020:00:00:00 and latest is "03/20/2020:24:00:00".
The earliest and latest values should not change until next month date is matched.

ilya_resh · ‎03-03-2020

Maybe not exactly what you are after, how about you have the panels to search for the last let's say 33 days and then restrict your search this way

    YOUR_SEARCH | eval report_month = lower(strftime(now(),"%B")), report_day = 20 | where date_month = report_month AND date_mday = report_day

Assuming your initial search has events with this index/source/sourcetype only on the one day it shouldn't take too long to run

anmolpatel · ‎03-03-2020

Have not come across such a feature in Splunk.
What you can do is create a Global time filter for the Dashboard and pass the token to each panel. You will need to update and save the global time token on a monthly basis to set the time range as required.

How to automatically set earliest and latest to the panels when the dashboard loads?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life