Dashboards & Visualizations

How to control earliest and latest in the search string using forms in XML?

HattrickNZ
Motivator

i have the following search in my xml:

index= ... earliest=-20d@d latest=+d@d | timechart ...  | timewrap ...

How do I control the search using a form? I basically want to be able to control this earliest=-20d@d latest=+d@d and I only want to increase the value 20 up or down. Maybe I should use some other type of form control?

This is my 1st attempt:

<label>Timeframe</label>
<default>
  <earliestTime>-20d</earliestTime>
  <latestTime>now</latestTime>
</default>
0 Karma
1 Solution

ngatchasandra
Builder

Hi HatNZ,

If i undertanded well your task, try with xml code that follow: with this, you can specify either -20d ,-30d or more in the input text. It work fine!
Try to run it!

<form>
      <label>time</label>
      <fieldset submitButton="true">

        <input type="text" token="time_tok">
          <label>Specify a time</label>
          <default>-20d</default>
        </input>
      </fieldset>
      <row>
        <panel>
          <table>
            <search>
              <query>index=_internal | stats count by sourcetype |head 10</query>
              <earliest>$time_tok$</earliest>
              <latest>now</latest>
            </search>
          </table>
        </panel>
      </row>
    </form>

View solution in original post

stephane_cyrill
Builder

Hi ,
As you have adapted your code,if it produce no error it is ok. now try this:
1- create an input for integer .
2-use the input token like this:

index= ... earliest=-$time_tok$d@d
latest=+d@d | timechart ... |
timewrap ...

3- you can even remove "earliest=-" and "d@d" and put them in fieldset as token prefix and token suffix.
the query will now be:

index= ... $time_tok$
latest=+d@d | timechart ... |
timewrap ...

0 Karma

ngatchasandra
Builder

Hi HatNZ,

If i undertanded well your task, try with xml code that follow: with this, you can specify either -20d ,-30d or more in the input text. It work fine!
Try to run it!

<form>
      <label>time</label>
      <fieldset submitButton="true">

        <input type="text" token="time_tok">
          <label>Specify a time</label>
          <default>-20d</default>
        </input>
      </fieldset>
      <row>
        <panel>
          <table>
            <search>
              <query>index=_internal | stats count by sourcetype |head 10</query>
              <earliest>$time_tok$</earliest>
              <latest>now</latest>
            </search>
          </table>
        </panel>
      </row>
    </form>

HattrickNZ
Motivator

tks, I adapted that to do something like this.


<input type="text" token="time_tok">
<label>Specify a time</label>
<default>-20d@d</default>
</input>

index= ... earliest=$time_tok$ latest=+d@d | timechart ... | timewrap ...

this way i am controlling from earliest=$time_tok$ part using the input

0 Karma

ngatchasandra
Builder

what do you want now? Are you satisfy?

0 Karma

stephanefotso
Motivator

Here is an example:

<form >
  <label>Single Value Customization: Panel Color</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="time" searchWhenChanged="true">
      <label/>
      <default>
        <earliestTime>0</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>
    <input type="dropdown" token="index" searchWhenChanged="true">
      <label>Choose one index</label>
      <choice value="*">All</choice>
      <populatingSearch fieldForLabel="index" fieldForValue="index">| eventcount summarize=false index=* OR index=_*</populatingSearch>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <single id="id1">
      <title>Count of all events in index=$index$</title>
      <searchString>index=$index$ OR index=_$index$|stats count</searchString>
      <earliestTime>$time.earliest$</earliestTime>
      <latestTime>$time.latest$</latestTime>
      <option name="field">count</option>
      <option name="beforeLabel">There is</option>
      <option name="afterLabel">Total Events</option>
      <option name="underLabel">All events</option>
    </single>

  </row>
</form>
SGF
0 Karma

HattrickNZ
Motivator

I speciffically want to be able to control this in the search earliest=-20d@dchanging it to this earliest=-30d@d or this earliest=-40d@d for example. Maybe i am taking the wrong approach.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...