Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to convert a time modifier to a time parameter than can be passed to another search?

gcusello
SplunkTrust
SplunkTrust
‎04-09-2015 12:49 AM

Hi at all,
I'm creating a dashboard to manage alerts.
I created a search that extract alerts information:
- _time,
- timerange (-1d@d, -5m, etc...)
- search (index=XXX, sourcetype=XXX, conditions=XXX,.......)
I'd like to pass these parameters to another panel of my dashboard (or to another dashboard) to run the search that generated the alert in the same time range and obtain the results that generated alert.
However, I'm have problems building "earliest" and "latest" parameters in my first search for the second one. Could you help me?
Thank You in advance.
Bye.
Giuseppe

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-08-2016 08:17 AM

I inserted in the drilldown URL the time tokens:

    <drilldown>
      <link>details_by_protocol?cs_uri_scheme=$click.name2$&amp;TimeFrom=$Time.earliest$&amp;TimeTo=$Time.latest$</link>
    </drilldown>

And runs.
Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-08-2016 08:17 AM

I inserted in the drilldown URL the time tokens:

    <drilldown>
      <link>details_by_protocol?cs_uri_scheme=$click.name2$&amp;TimeFrom=$Time.earliest$&amp;TimeTo=$Time.latest$</link>
    </drilldown>

And runs.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

stephanefotso
Motivator
‎04-09-2015 03:07 AM

Hello! I think your first search is the one running the alert! So you can set your earliest and latest parameters when configuring your alert on the screen shot bellow.

![alt text][1]

SGF
Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-09-2015 04:24 AM

The first search (Alert Search) is already OK, the problem is to correctly calculate StartTime and EndTime to pass to the second one:

  • EndTime is the _time of the alert event,
  • the problem is to calculate StartTime that it should be: endTime - timerange but the problem is that timerange is in format -1f@d or -5m and I don't know how to use it in eval espression. Thank you. giuseppe
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-09-2015 09:07 AM

I reached to calculate StartTime and EndTime in my first panel.
...| eval EndTime=strftime(_time,"%m/%d/%Y:%H:%M:%S") | eval StartTime=strftime(relative_time(_time,timerange),"%m/%d/%Y:%H:%M:%S")
where timerange is a field with timerange values (-1d, -2m@m, etc...)

The problem now is hot to pass these parametrs to the second panel:
if I put these parametrs in the second panel query (at the beginning of the query), it takes them, but it isn't OK for my need because in the search there are some subsearches that don't take time modifiers.
Is it possible to pass parametrs to the earliest and latest row of the dashboard?
Thank you in advance.

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...