Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare time range picker to change span of timechart (heatmap)

esmonder
Path Finder
‎09-20-2017 11:05 PM

I am using a heatmap to represent my timechart and i have a time range picker to determine the time range of the heatmap visualization

   ... |timechart span=1h count by class_desc

span=1h is deal for me if a preset value of "Last 7 days" or lower is picked.
But data beyond 2 weeks will not be displayed if i were to pick the preset value of "Last 30 days".
For "Last 30 days", span=1d would be ideal

Thus I am looking to compare the time range picker token ($time_token$) of the time range:

if $time_token$ <= "Last 7 Days" then span=1h
else span=1d

p.s. i've tried the bins method and it isn't what i am looking for (https://answers.splunk.com/answers/44213/how-can-i-change-the-span-in-timechart-when-the-timerangepi...)

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎09-21-2017 11:01 AM

@esmonder, questions on similar lines have been answered before. Following is one of the ways to do this:

Step 1: Add a dummy search with your earliest and latest time input tokens (where time picker input token name is time_token).

  <search>
    <query>| makeresults
    </query>
    <earliest>$time_token.earliest$</earliest>
    <latest>$time_token.latest$</latest>    
    <progress>
      <eval token="tokSpan">case(strptime($job.latestTime$,"%Y/%m/%d %H:%M:%S")-strptime($job.earliestTime$,"%Y/%m/%d %H:%M:%S")>604800,"1d",true(),"1h")</eval>
    </progress>
  </search>

The progress search event handler is used to set the timeSpan token using eval tag. If the difference between earliest and latest time is greater than 604800 i.e. 7*24*60*60 seconds (7 days), then tokSpan is set to 1d, else it is set to 1h.

Step 2: Use tokSpan in the timechart command for Calendar Heatmap custom visualization

... |timechart span=$tokSpan$ count by class_desc
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution

lfedak_splunk
Splunk Employee
Splunk Employee
‎09-21-2017 05:04 PM

Hey @esmonder, if @niketnilay solved your problem, please don't forget to accept an answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎09-21-2017 11:01 AM

@esmonder, questions on similar lines have been answered before. Following is one of the ways to do this:

Step 1: Add a dummy search with your earliest and latest time input tokens (where time picker input token name is time_token).

  <search>
    <query>| makeresults
    </query>
    <earliest>$time_token.earliest$</earliest>
    <latest>$time_token.latest$</latest>    
    <progress>
      <eval token="tokSpan">case(strptime($job.latestTime$,"%Y/%m/%d %H:%M:%S")-strptime($job.earliestTime$,"%Y/%m/%d %H:%M:%S")>604800,"1d",true(),"1h")</eval>
    </progress>
  </search>

The progress search event handler is used to set the timeSpan token using eval tag. If the difference between earliest and latest time is greater than 604800 i.e. 7*24*60*60 seconds (7 days), then tokSpan is set to 1d, else it is set to 1h.

Step 2: Use tokSpan in the timechart command for Calendar Heatmap custom visualization

... |timechart span=$tokSpan$ count by class_desc
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...