Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to dynamically compare two time ranges?

naty
Path Finder
‎11-14-2016 09:15 AM

Hi,

i have a dashboard with panels comparing data of historical data and showing it graphically.
i manipulate the _time for all the searches to be in the same time in the panel.
example - i take data from today between 10:00-11:00, and data from yesterday between 10:00-11:00.
then I manipulate the _time of the second search so that in the panel the two graphs will be on the same time frame, but they are originally from different dates

the problem that i am experiencing is that i want to change the time frame dynamically.
i'm doing so using a timepicker.

this is my timepicker:

fieldset submitButton="false"
   input type="time" token="timeField"
      label:/label
      default
        earliest:-1h:earliest
        latest:now:latest
      default
    input
  fieldset

and this is my search:

index=myapp source="mysource" NOT DATETIME earliest=$timeField.earliest$ latest=$timeField.latest$ ID=000 | eval ReportKey="ID0 Today" | append [search index=myapp source="mysource" NOT DATETIME earliest=$timeField.earliest$-86400 latest=$timeField.latest$-1d@m ID=000 | eval ReportKey="ID0 Yesterday" | eval _time=_time+86400| append [search index=myapp source="mysource" NOT DATETIME earliest=$timeField.earliest$-604800 latest=$timeField.latest$-7d@m ID=000 | eval ReportKey="ID0 Last week" | eval _time=_time+7*86400 | append [search index=myapp source="mysource" NOT DATETIME earliest=$timeField.earliest$-2419200 latest=$timeField.latest$-28d@m ID=000 | eval ReportKey="ID0 Last Month" | eval _time=_time+28*86400]]] |  timechart span=1m max(field1) by ReportKey

this search will work perfect if the time i'm picking in the timepicker is a relative time, for example: Last 1 hour/Last 1 day/etc..
but if i'm picking a specific time, for example: 10/13/2016 09:00:00.000 10/13/2016 10:00:00.000 then the search will fail, because i get an epoch time from the second choice.

how can i overcome this?

Thank you!

0 Karma
Reply

sundareshr
Legend
‎12-13-2016 09:07 AM

Add this to the Timepicker control to always return epoch time

<input type="time" token="time">
...
<change>
<eval token="e">if(isnum($time.earliest$),  relative_time($time.earliest$, "-30d@d), relative_time(relative_time(now(), $time.earliest$), "-30d@d")</eval>
</change>

And for you search, your could try this to avoid the sub-searches (append)

index=foo earliest=$e$ | eval ReportKey=case(_time>relative_time(now(), "@d"), "Today", _time>relative_time(now(), "-1d@d") AND _time<relative_time(now(), "@d"), "Yesterday", _time>relative_time(now(), "-30d@d") AND _time<relative_time(now(), "-29d@d"), "Last Month" | ... rest of your query from any one of the segments
0 Karma
Reply

naty
Path Finder
‎12-13-2016 09:27 AM

hi, thank you!
i understood the change to the query to avoid the sub-searches, but i didn't understand the you added from the time input.
why -30d@d? you meant 30 days earlier?
can't i just check if time.latest == now?

also, can you please elaborate on what relative_time does and what it returns? the documentation is not very good about this function..

0 Karma
Reply

sundareshr
Legend
‎12-13-2016 10:15 AM

relative_time(x, y) accepts two params. The x represent time value (epoch) and y represents offset from x. For example relative_time(now(), "-1h@h") would mean 1 hour prior to now.

So in query above, -30d represents 30d prior to epoch time selected in the timepicker.

0 Karma
Reply

masonmorales
Influencer
‎11-14-2016 10:07 AM

I haven't seen a good way to do this yet. Most people resort to using the Timewrap TA: https://splunkbase.splunk.com/app/1645/

0 Karma
Reply

naty
Path Finder
‎12-13-2016 07:54 AM

hi,
thank you for your answer.
sadly, i don't have the ability to change the Splunk infrastructure in our business, we can only use it.
my problem is with the now() - if the latest is 'now' then all of the searches will work.
but, if i'm picking a specific time then i get an EPOCH time, and with EPOCH time i get for example -
"invalid latest time 14756941647-1d@m"

so i need to either change "-1d@m" to EPOCH, or to know when i get "now" or EPOCH for latest time.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...