Dashboards & Visualizations

How to change the time range picker before a search is executed in a dashboard?

ayusuf
Engager

I believe it's possible but I haven't been able to figure it out yet but I would like to change the time range dynamically before the search is executed.

Basically I'm doing a chart for a certain time range but I would like to always +2 days from what the user selects.

Updated dashboard:

<form>
  <label>timechanger</label>
  <fieldset submitButton="false">
    <input type="time" token="time" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-2d@d</earliest>
        <latest>-1d@d</latest>
      </default>
      <change>
        <eval token="e">if(isnum($time.latest$), relative_time($time.latest$, "+3d@d"), relative_time(relative_time(now(), $time.latest$), "+3d@d"))</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=mongod | timechart span=1d count by sourcetype</query>
          <earliest>$time.earliest$</earliest>
          <latest>$e$</latest>
        </search>
      </table>
    </panel>
  </row>
</form>

My simple dashboard:

<form>
  <label>timechanger</label>
  <fieldset submitButton="false">
    <input type="time" token="time" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-2d@d</earliest>
        <latest>-1d@d</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=mongod | timechart span=1d count by sourcetype</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
      </table>
    </panel>
  </row>
</form>
0 Karma

sundareshr
Legend

Not sure I understand what you mean by +2 days from what the user selects - is the earliest or latest or both? Regardless, you can tweak this concept to fit your specific needs. In you search, you will use the new token create dynamically, instead of $time.earliest$

 <input type="time" token="time" searchWhenChanged="true">
   <label></label>
   <default>
     <earliest>-2d@d</earliest>
     <latest>-1d@d</latest>
   </default>
   <change>
   <eval token="e">if(isnum($time.earliest$, relative_time($time.earliest$, "+2d@d"), relative_time(relative_time(now(), $time.earliest$), "+2d@d")</eval>
  <change>
 </input>

VatsalJagani
SplunkTrust
SplunkTrust

In eval here, even brackets are imbalance. @sundareshr - can you please correct?

0 Karma

dineshraj9
Builder

Nice logic!! Wanted to create a view to analyze time zone issue for logs going into future and this is exactly what I need 🙂

0 Karma

ayusuf
Engager

The latest. Earliest can stay as is. I think I can modify what you gave me to apply on $time.latest$ and pass that as token to my panel, is that correct?

0 Karma

sundareshr
Legend

That's Correct

0 Karma

ayusuf
Engager

Okay so I added that change and it doesn't seem to be working. The updated dashboard is at top. I keep getting, "Invalid latest_time: latest_time must be after earliest_time". At first it didn't work at all because some parens were missing in the eval. It seems like it should work according to the logic in the eval. I also tried using Splunk Debugger but I couldn't figure out why the e token kept consistently being 190800. Any ideas?

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...