Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create dynamic label based on time input change?

pgates
Explorer
‎02-01-2023 01:14 PM

I have a simple form that has a global search to set up the initial values of a time input.  With that global search, I also set a token for a label on my form.

I'd like to update that label when a new value is chosen from the time input, but I cannot get it to work.

Here is a full simple example to show what I mean.  If I change the time picker, I'd expect the label to be updated to reflect that change.

 

 

 

<form hideFilters="false">
  <search id="starttimesearch">
    <query>
     | makeresults 
     | eval startHours=relative_time(now(), "@h-36h")
     | eval startTimeStr=strftime(startHours, "%B %d, %Y %H:%M")
   </query>
    <done>
      <set token="form.timeRange.earliest">$result.startHours$</set>
      <set token="form.timeRange.latest">now</set>
      <set token="time_label">Since $result.startTimeStr$</set>
    </done>
  </search>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="timeRange" searchWhenChanged="true">
      <label>Time</label>
      <default>
      </default>
      <change>
        <set token="time_change_start">strftime($timeRange.earliest$", "%B %d/%Y %H:%M")</set>
        <set token="time_change_end">strftime($timeRange.latest$", "%B %d/%Y %H:%M")</set>
        <eval token="time_label">case($timeRange.latest$ == now(), "Since $time_change_start$", 1==1, "From $time_change_start$ to %time_change_end$)</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        The time label is $time_label$
      </html>
    </panel>
  </row>
</form>

 

 

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎02-01-2023 02:24 PM

There are a number of small problems with the token handling, but the principle will not work in general as time input picker values do not get evaluated to their epoch times until the search runs, so your test for $timeRange.latest$=now() will never work, as the token has the string value of "now".

Also, these issues

<set token="time_change_start">strftime($timeRange.earliest$", "%B %d/%Y %H:%M")</set>
<set token="time_change_end">strftime($timeRange.latest$", "%B %d/%Y %H:%M")</set>
<eval token="time_label">case($timeRange.latest$ == now(), "Since $time_change_start$", 1==1, "From $time_change_start$ to %time_change_end$)</eval>

The first two could more easily be <eval> anyway rather than set, but you also have a trailing quote " after the token.

The last eval has a % before time_change_end, not a $, so that's breaking the eval. Also, as mentioned above, you cannot compare to now().

See this example of using a global search based on the time picker and then addinfo + <done> to set tokens.

<form hideFilters="false">
  <search id="starttimesearch">
    <query>
     | makeresults 
     | eval startHours=relative_time(now(), "@h-36h")
     | eval startTimeStr=strftime(startHours, "%B %d, %Y %H:%M")
   </query>
    <done>
      <set token="form.timeRange.earliest">$result.startHours$</set>
      <set token="form.timeRange.latest">now</set>
      <set token="time_label">Since $result.startTimeStr$</set>
    </done>
  </search>
  <search>
    <query>
| makeresults
| addinfo
| eval startTimeStr=strftime(info_min_time, "%B %d, %Y %H:%M")
| eval endTimeStr=strftime(info_max_time, "%B %d, %Y %H:%M")
    </query>
    <done>
      <set token="time_label">From $result.startTimeStr$ to $result.endTimeStr$</set>
    </done>
    <earliest>$timeRange.earliest$</earliest>
    <latest>$timeRange.latest$</latest>
  </search>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="timeRange" searchWhenChanged="true">
      <label>Time</label>
      <default>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <html/>
    </panel>
    <panel>
      <html>
        The time label is $time_label$<p/>
      </html>
    </panel>
  </row>
</form>

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎02-01-2023 02:24 PM

There are a number of small problems with the token handling, but the principle will not work in general as time input picker values do not get evaluated to their epoch times until the search runs, so your test for $timeRange.latest$=now() will never work, as the token has the string value of "now".

Also, these issues

<set token="time_change_start">strftime($timeRange.earliest$", "%B %d/%Y %H:%M")</set>
<set token="time_change_end">strftime($timeRange.latest$", "%B %d/%Y %H:%M")</set>
<eval token="time_label">case($timeRange.latest$ == now(), "Since $time_change_start$", 1==1, "From $time_change_start$ to %time_change_end$)</eval>

The first two could more easily be <eval> anyway rather than set, but you also have a trailing quote " after the token.

The last eval has a % before time_change_end, not a $, so that's breaking the eval. Also, as mentioned above, you cannot compare to now().

See this example of using a global search based on the time picker and then addinfo + <done> to set tokens.

<form hideFilters="false">
  <search id="starttimesearch">
    <query>
     | makeresults 
     | eval startHours=relative_time(now(), "@h-36h")
     | eval startTimeStr=strftime(startHours, "%B %d, %Y %H:%M")
   </query>
    <done>
      <set token="form.timeRange.earliest">$result.startHours$</set>
      <set token="form.timeRange.latest">now</set>
      <set token="time_label">Since $result.startTimeStr$</set>
    </done>
  </search>
  <search>
    <query>
| makeresults
| addinfo
| eval startTimeStr=strftime(info_min_time, "%B %d, %Y %H:%M")
| eval endTimeStr=strftime(info_max_time, "%B %d, %Y %H:%M")
    </query>
    <done>
      <set token="time_label">From $result.startTimeStr$ to $result.endTimeStr$</set>
    </done>
    <earliest>$timeRange.earliest$</earliest>
    <latest>$timeRange.latest$</latest>
  </search>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="timeRange" searchWhenChanged="true">
      <label>Time</label>
      <default>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <html/>
    </panel>
    <panel>
      <html>
        The time label is $time_label$<p/>
      </html>
    </panel>
  </row>
</form>
Reply
Solved! Jump to solution

pgates
Explorer
‎02-06-2023 06:14 AM

Awesome - was unaware of addinfo.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...