Dashboards & Visualizations
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get time variables from a dashboard to use to eval the amount of time being searched?

john_glasscock
Path Finder
‎04-04-2019 06:13 AM

I am trying to createa dashboard where you can select the time frame, then in the dashboard search, I want to use the timeframe selection to find the amount of time being selected in minutes to be used in a formula.

Example: You select 24 hours. Using the earliest and latest time variables, I want to calculate the time being search I.E. 24 hours or 1440 minutes.

I then want to take the 1440 minutes and divide by a number.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-04-2019 06:23 AM

@john.glasscock

You can use addinfo to get Search boundary.

YOUR_SEARCH | addinfo | eval secs= info_max_time - info_min_time

This will give you info_min_time and info_max_time. Use these fields to get the difference in secs. You can convert these secs in minutes.

info_min_time The earliest time boundary for the search.

info_max_time The latest time boundary for the search.

Check http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/addinfo

View solution in original post

0 Karma
Reply
Solved! Jump to solution

john_glasscock
Path Finder
‎04-04-2019 07:41 AM

@kamlesh_vaghela I would like to find out what percentage of the 5 minute periods wrote locally. However when I try the percentage eval statement below it fails.

index=nagios "Writing logs locally due to high log rate"
| stats count by dest
| sort by – count
| addinfo
| eval secs= info_max_time - info_min_time
| eval minutes=secs/60
| eval 5minperiods=round(minutes/5,2)
| eval percentage=round(count/5minperiods,2)
| fields dest count 5minperiods percentage

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-04-2019 06:23 AM

@john.glasscock

You can use addinfo to get Search boundary.

YOUR_SEARCH | addinfo | eval secs= info_max_time - info_min_time

This will give you info_min_time and info_max_time. Use these fields to get the difference in secs. You can convert these secs in minutes.

info_min_time The earliest time boundary for the search.

info_max_time The latest time boundary for the search.

Check http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/addinfo

0 Karma
Reply
Solved! Jump to solution

john_glasscock
Path Finder
‎04-04-2019 06:37 AM

Thank you !

0 Karma
Reply
Get Updates on the Splunk Community!

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Security automation is no longer a luxury but a necessity. Join us to learn how Splunk ES and SOAR empower ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud

  Join us in this Tech Talk and learn about the recently launched AI Assistant in Observability Cloud. With ...

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...
Top