Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to control earliest and latest in the search string using forms in XML?

HattrickNZ
Motivator
‎04-23-2015 01:55 PM

i have the following search in my xml:

index= ... earliest=-20d@d latest=+d@d | timechart ...  | timewrap ...

How do I control the search using a form? I basically want to be able to control this earliest=-20d@d latest=+d@d and I only want to increase the value 20 up or down. Maybe I should use some other type of form control?

This is my 1st attempt:

<label>Timeframe</label>
<default>
  <earliestTime>-20d</earliestTime>
  <latestTime>now</latestTime>
</default>
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ngatchasandra
Builder
‎04-23-2015 02:57 PM

Hi HatNZ,

If i undertanded well your task, try with xml code that follow: with this, you can specify either -20d ,-30d or more in the input text. It work fine!
Try to run it!

<form>
      <label>time</label>
      <fieldset submitButton="true">

        <input type="text" token="time_tok">
          <label>Specify a time</label>
          <default>-20d</default>
        </input>
      </fieldset>
      <row>
        <panel>
          <table>
            <search>
              <query>index=_internal | stats count by sourcetype |head 10</query>
              <earliest>$time_tok$</earliest>
              <latest>now</latest>
            </search>
          </table>
        </panel>
      </row>
    </form>

View solution in original post

Reply
Solved! Jump to solution

stephane_cyrill
Builder
‎04-23-2015 03:48 PM

Hi ,
As you have adapted your code,if it produce no error it is ok. now try this:
1- create an input for integer .
2-use the input token like this:

index= ... earliest=-$time_tok$d@d
latest=+d@d | timechart ... |
timewrap ...

3- you can even remove "earliest=-" and "d@d" and put them in fieldset as token prefix and token suffix.
the query will now be:

index= ... $time_tok$
latest=+d@d | timechart ... |
timewrap ...

0 Karma
Reply
Solved! Jump to solution
Solution

ngatchasandra
Builder
‎04-23-2015 02:57 PM

Hi HatNZ,

If i undertanded well your task, try with xml code that follow: with this, you can specify either -20d ,-30d or more in the input text. It work fine!
Try to run it!

<form>
      <label>time</label>
      <fieldset submitButton="true">

        <input type="text" token="time_tok">
          <label>Specify a time</label>
          <default>-20d</default>
        </input>
      </fieldset>
      <row>
        <panel>
          <table>
            <search>
              <query>index=_internal | stats count by sourcetype |head 10</query>
              <earliest>$time_tok$</earliest>
              <latest>now</latest>
            </search>
          </table>
        </panel>
      </row>
    </form>
Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎04-23-2015 03:22 PM

tks, I adapted that to do something like this.


<input type="text" token="time_tok">
<label>Specify a time</label>
<default>-20d@d</default>
</input>

index= ... earliest=$time_tok$ latest=+d@d | timechart ... | timewrap ...

this way i am controlling from earliest=$time_tok$ part using the input

0 Karma
Reply
Solved! Jump to solution

ngatchasandra
Builder
‎04-23-2015 03:27 PM

what do you want now? Are you satisfy?

0 Karma
Reply
Solved! Jump to solution

stephanefotso
Motivator
‎04-23-2015 02:36 PM

Here is an example:

<form >
  <label>Single Value Customization: Panel Color</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="time" searchWhenChanged="true">
      <label/>
      <default>
        <earliestTime>0</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>
    <input type="dropdown" token="index" searchWhenChanged="true">
      <label>Choose one index</label>
      <choice value="*">All</choice>
      <populatingSearch fieldForLabel="index" fieldForValue="index">| eventcount summarize=false index=* OR index=_*</populatingSearch>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <single id="id1">
      <title>Count of all events in index=$index$</title>
      <searchString>index=$index$ OR index=_$index$|stats count</searchString>
      <earliestTime>$time.earliest$</earliestTime>
      <latestTime>$time.latest$</latestTime>
      <option name="field">count</option>
      <option name="beforeLabel">There is</option>
      <option name="afterLabel">Total Events</option>
      <option name="underLabel">All events</option>
    </single>

  </row>
</form>
SGF
0 Karma
Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎04-23-2015 02:47 PM

I speciffically want to be able to control this in the search earliest=-20d@dchanging it to this earliest=-30d@d or this earliest=-40d@d for example. Maybe i am taking the wrong approach.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...