Solved: Re: How to offset the token from a time picker

duesser · ‎12-05-2023

I basically have the exact same question as https://community.splunk.com/t5/Dashboards-Visualizations/How-to-have-a-panel-use-an-offset-from-a-t....

BUT I need to actually change the value in the timerange picker token. E.G. if i select a timerange of "last 4 hour" and my modification is to add an hour, than the $token_time.earliest$ should not be "-4h" but "-5h".

ITWhisperer · ‎12-07-2023

Try this - although this doesn't work with all options from time pickers - I haven't found an easy way to deal with all options.

<change>
  <eval token="starttime">relative_time(relative_time(now(),$timepicker.earliest$),"-1h")</eval>
  <eval token="finishtime">relative_time(relative_time(now(),$timepicker.latest$),"-1h")</eval>
</change>

View solution in original post

PickleRick · ‎12-05-2023

Also - you can "stack up" time specifiers. Look at this example:

duesser · ‎12-05-2023

I am aware of this, which is why I linked the question where this was answered already. I need to change the token within the XML dashboard.

PickleRick · ‎12-06-2023

But why exactly do you want to change the token itself? Isn't it enough to skew the timerange for the resulting search?

duesser · ‎12-06-2023

I am loading the search from a datamodel, so I can not do

| datamodel earliest=$<time_token>$-1h

ITWhisperer · ‎12-05-2023

Create a new token in the change handler for the timepicker which is based on an hour difference to the timepicker earliest value. If you start changing the timepicker itself, this will be seen as a change which will then add another hour, which will be seen as a change, and so on.

duesser · ‎12-05-2023

I am aware of this, however I was not able to accomplish this. Could you specify HOW EXACTLY you would accomplish this - e.g. shift earliest to earliest-1h within the input part of XML?

ITWhisperer · ‎12-06-2023

Try something like this

<change>
  <eval token="starttime">relative_time($timepicker.earliest$","-1h")</eval>
  <eval token="finishtime">relative_time($timepicker.latest$","-1h")</eval>
</change>

duesser · ‎12-07-2023

This does not work for me. It evaluates to "NaN". I guess the issue beeing, that $timepicker.xxx$ is filled with "-24h@h" for example, rather than UNIX time. Maybe it would make sense to post this as a seperate question. "how to convert "-24h@h" or so into UNIX time"?

ITWhisperer · ‎12-07-2023

Try this - although this doesn't work with all options from time pickers - I haven't found an easy way to deal with all options.

<change>
  <eval token="starttime">relative_time(relative_time(now(),$timepicker.earliest$),"-1h")</eval>
  <eval token="finishtime">relative_time(relative_time(now(),$timepicker.latest$),"-1h")</eval>
</change>

duesser · ‎12-07-2023

When does it not work? For my intends and purposes it is sufficient! Thank you alot!

ITWhisperer · ‎12-07-2023

iirc it is when you use "last hour" (for example) as the latest become the string "now" which confuses relative_time although it might also be when you use advanced as you can get an epoch time.

How to offset the token from a time picker

dashboard

panel

simple XML

token

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?