Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get time variables from a dashboard to use to eval the amount of time being searched?

john_glasscock
Path Finder
‎04-04-2019 06:13 AM

I am trying to createa dashboard where you can select the time frame, then in the dashboard search, I want to use the timeframe selection to find the amount of time being selected in minutes to be used in a formula.

Example: You select 24 hours. Using the earliest and latest time variables, I want to calculate the time being search I.E. 24 hours or 1440 minutes.

I then want to take the 1440 minutes and divide by a number.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-04-2019 06:23 AM

@john.glasscock

You can use addinfo to get Search boundary.

YOUR_SEARCH | addinfo | eval secs= info_max_time - info_min_time

This will give you info_min_time and info_max_time. Use these fields to get the difference in secs. You can convert these secs in minutes.

info_min_time The earliest time boundary for the search.

info_max_time The latest time boundary for the search.

Check http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/addinfo

View solution in original post

0 Karma
Reply
Solved! Jump to solution

john_glasscock
Path Finder
‎04-04-2019 07:41 AM

@kamlesh_vaghela I would like to find out what percentage of the 5 minute periods wrote locally. However when I try the percentage eval statement below it fails.

index=nagios "Writing logs locally due to high log rate"
| stats count by dest
| sort by – count
| addinfo
| eval secs= info_max_time - info_min_time
| eval minutes=secs/60
| eval 5minperiods=round(minutes/5,2)
| eval percentage=round(count/5minperiods,2)
| fields dest count 5minperiods percentage

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-04-2019 06:23 AM

@john.glasscock

You can use addinfo to get Search boundary.

YOUR_SEARCH | addinfo | eval secs= info_max_time - info_min_time

This will give you info_min_time and info_max_time. Use these fields to get the difference in secs. You can convert these secs in minutes.

info_min_time The earliest time boundary for the search.

info_max_time The latest time boundary for the search.

Check http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/addinfo

0 Karma
Reply
Solved! Jump to solution

john_glasscock
Path Finder
‎04-04-2019 06:37 AM

Thank you !

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...