Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create dynamic label based on time input change?

pgates
Explorer
‎02-01-2023 01:14 PM

I have a simple form that has a global search to set up the initial values of a time input.  With that global search, I also set a token for a label on my form.

I'd like to update that label when a new value is chosen from the time input, but I cannot get it to work.

Here is a full simple example to show what I mean.  If I change the time picker, I'd expect the label to be updated to reflect that change.

 

 

 

<form hideFilters="false">
  <search id="starttimesearch">
    <query>
     | makeresults 
     | eval startHours=relative_time(now(), "@h-36h")
     | eval startTimeStr=strftime(startHours, "%B %d, %Y %H:%M")
   </query>
    <done>
      <set token="form.timeRange.earliest">$result.startHours$</set>
      <set token="form.timeRange.latest">now</set>
      <set token="time_label">Since $result.startTimeStr$</set>
    </done>
  </search>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="timeRange" searchWhenChanged="true">
      <label>Time</label>
      <default>
      </default>
      <change>
        <set token="time_change_start">strftime($timeRange.earliest$", "%B %d/%Y %H:%M")</set>
        <set token="time_change_end">strftime($timeRange.latest$", "%B %d/%Y %H:%M")</set>
        <eval token="time_label">case($timeRange.latest$ == now(), "Since $time_change_start$", 1==1, "From $time_change_start$ to %time_change_end$)</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        The time label is $time_label$
      </html>
    </panel>
  </row>
</form>

 

 

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎02-01-2023 02:24 PM

There are a number of small problems with the token handling, but the principle will not work in general as time input picker values do not get evaluated to their epoch times until the search runs, so your test for $timeRange.latest$=now() will never work, as the token has the string value of "now".

Also, these issues

<set token="time_change_start">strftime($timeRange.earliest$", "%B %d/%Y %H:%M")</set>
<set token="time_change_end">strftime($timeRange.latest$", "%B %d/%Y %H:%M")</set>
<eval token="time_label">case($timeRange.latest$ == now(), "Since $time_change_start$", 1==1, "From $time_change_start$ to %time_change_end$)</eval>

The first two could more easily be <eval> anyway rather than set, but you also have a trailing quote " after the token.

The last eval has a % before time_change_end, not a $, so that's breaking the eval. Also, as mentioned above, you cannot compare to now().

See this example of using a global search based on the time picker and then addinfo + <done> to set tokens.

<form hideFilters="false">
  <search id="starttimesearch">
    <query>
     | makeresults 
     | eval startHours=relative_time(now(), "@h-36h")
     | eval startTimeStr=strftime(startHours, "%B %d, %Y %H:%M")
   </query>
    <done>
      <set token="form.timeRange.earliest">$result.startHours$</set>
      <set token="form.timeRange.latest">now</set>
      <set token="time_label">Since $result.startTimeStr$</set>
    </done>
  </search>
  <search>
    <query>
| makeresults
| addinfo
| eval startTimeStr=strftime(info_min_time, "%B %d, %Y %H:%M")
| eval endTimeStr=strftime(info_max_time, "%B %d, %Y %H:%M")
    </query>
    <done>
      <set token="time_label">From $result.startTimeStr$ to $result.endTimeStr$</set>
    </done>
    <earliest>$timeRange.earliest$</earliest>
    <latest>$timeRange.latest$</latest>
  </search>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="timeRange" searchWhenChanged="true">
      <label>Time</label>
      <default>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <html/>
    </panel>
    <panel>
      <html>
        The time label is $time_label$<p/>
      </html>
    </panel>
  </row>
</form>

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎02-01-2023 02:24 PM

There are a number of small problems with the token handling, but the principle will not work in general as time input picker values do not get evaluated to their epoch times until the search runs, so your test for $timeRange.latest$=now() will never work, as the token has the string value of "now".

Also, these issues

<set token="time_change_start">strftime($timeRange.earliest$", "%B %d/%Y %H:%M")</set>
<set token="time_change_end">strftime($timeRange.latest$", "%B %d/%Y %H:%M")</set>
<eval token="time_label">case($timeRange.latest$ == now(), "Since $time_change_start$", 1==1, "From $time_change_start$ to %time_change_end$)</eval>

The first two could more easily be <eval> anyway rather than set, but you also have a trailing quote " after the token.

The last eval has a % before time_change_end, not a $, so that's breaking the eval. Also, as mentioned above, you cannot compare to now().

See this example of using a global search based on the time picker and then addinfo + <done> to set tokens.

<form hideFilters="false">
  <search id="starttimesearch">
    <query>
     | makeresults 
     | eval startHours=relative_time(now(), "@h-36h")
     | eval startTimeStr=strftime(startHours, "%B %d, %Y %H:%M")
   </query>
    <done>
      <set token="form.timeRange.earliest">$result.startHours$</set>
      <set token="form.timeRange.latest">now</set>
      <set token="time_label">Since $result.startTimeStr$</set>
    </done>
  </search>
  <search>
    <query>
| makeresults
| addinfo
| eval startTimeStr=strftime(info_min_time, "%B %d, %Y %H:%M")
| eval endTimeStr=strftime(info_max_time, "%B %d, %Y %H:%M")
    </query>
    <done>
      <set token="time_label">From $result.startTimeStr$ to $result.endTimeStr$</set>
    </done>
    <earliest>$timeRange.earliest$</earliest>
    <latest>$timeRange.latest$</latest>
  </search>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="timeRange" searchWhenChanged="true">
      <label>Time</label>
      <default>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <html/>
    </panel>
    <panel>
      <html>
        The time label is $time_label$<p/>
      </html>
    </panel>
  </row>
</form>
Reply
Solved! Jump to solution

pgates
Explorer
‎02-06-2023 06:14 AM

Awesome - was unaware of addinfo.

0 Karma
Reply
Get Updates on the Splunk Community!

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top