Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get time variables from a dashboard to use to eval the amount of time being searched?

john_glasscock
Path Finder
‎04-04-2019 06:13 AM

I am trying to createa dashboard where you can select the time frame, then in the dashboard search, I want to use the timeframe selection to find the amount of time being selected in minutes to be used in a formula.

Example: You select 24 hours. Using the earliest and latest time variables, I want to calculate the time being search I.E. 24 hours or 1440 minutes.

I then want to take the 1440 minutes and divide by a number.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-04-2019 06:23 AM

@john.glasscock

You can use addinfo to get Search boundary.

YOUR_SEARCH | addinfo | eval secs= info_max_time - info_min_time

This will give you info_min_time and info_max_time. Use these fields to get the difference in secs. You can convert these secs in minutes.

info_min_time The earliest time boundary for the search.

info_max_time The latest time boundary for the search.

Check http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/addinfo

View solution in original post

0 Karma
Reply
Solved! Jump to solution

john_glasscock
Path Finder
‎04-04-2019 07:41 AM

@kamlesh_vaghela I would like to find out what percentage of the 5 minute periods wrote locally. However when I try the percentage eval statement below it fails.

index=nagios "Writing logs locally due to high log rate"
| stats count by dest
| sort by – count
| addinfo
| eval secs= info_max_time - info_min_time
| eval minutes=secs/60
| eval 5minperiods=round(minutes/5,2)
| eval percentage=round(count/5minperiods,2)
| fields dest count 5minperiods percentage

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-04-2019 06:23 AM

@john.glasscock

You can use addinfo to get Search boundary.

YOUR_SEARCH | addinfo | eval secs= info_max_time - info_min_time

This will give you info_min_time and info_max_time. Use these fields to get the difference in secs. You can convert these secs in minutes.

info_min_time The earliest time boundary for the search.

info_max_time The latest time boundary for the search.

Check http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/addinfo

0 Karma
Reply
Solved! Jump to solution

john_glasscock
Path Finder
‎04-04-2019 06:37 AM

Thank you !

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...