Dashboards & Visualizations
Highlighted

How to compare time range picker to change span of timechart (heatmap)

Path Finder

I am using a heatmap to represent my timechart and i have a time range picker to determine the time range of the heatmap visualization

   ... |timechart span=1h count by class_desc

span=1h is deal for me if a preset value of "Last 7 days" or lower is picked.
But data beyond 2 weeks will not be displayed if i were to pick the preset value of "Last 30 days".
For "Last 30 days", span=1d would be ideal

Thus I am looking to compare the time range picker token ($time_token$) of the time range:

if $time_token$ <= "Last 7 Days" then span=1h
else span=1d

p.s. i've tried the bins method and it isn't what i am looking for (https://answers.splunk.com/answers/44213/how-can-i-change-the-span-in-timechart-when-the-timerangepi...)

Tags (2)
Highlighted

Re: How to compare time range picker to change span of timechart (heatmap)

Legend

@esmonder, questions on similar lines have been answered before. Following is one of the ways to do this:

Step 1: Add a dummy search with your earliest and latest time input tokens (where time picker input token name is time_token).

  <search>
    <query>| makeresults
    </query>
    <earliest>$time_token.earliest$</earliest>
    <latest>$time_token.latest$</latest>    
    <progress>
      <eval token="tokSpan">case(strptime($job.latestTime$,"%Y/%m/%d %H:%M:%S")-strptime($job.earliestTime$,"%Y/%m/%d %H:%M:%S")>604800,"1d",true(),"1h")</eval>
    </progress>
  </search>

The progress search event handler is used to set the timeSpan token using eval tag. If the difference between earliest and latest time is greater than 604800 i.e. 72460*60 seconds (7 days), then tokSpan is set to 1d, else it is set to 1h.

Step 2: Use tokSpan in the timechart command for Calendar Heatmap custom visualization

... |timechart span=$tokSpan$ count by class_desc



| eval message="Happy Splunking!!!"


View solution in original post

Highlighted

Re: How to compare time range picker to change span of timechart (heatmap)

Splunk Employee
Splunk Employee

Hey @esmonder, if @niketnilay solved your problem, please don't forget to accept an answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!

0 Karma