Dashboards & Visualizations

How to recalculate earliest and latest in view?

schose
Builder

Hi all,

I'm currently struggeling with the following issue. I'm getting token mytimestamp passed to a view. Now i want to calculate and search over the day in which the timeframe is included:

my view looks like:

<dashboard>
  <init>
    <eval token="earliest">relative_time(mytimestamp,"-0d@d")</eval>
    <eval token="latest">relative_time(mytimestamp,"+1d@d")</eval>  
  </init>
  <label>test</label>
  <row>
    <panel>
      <event>
        <title>mydate: $mytimestamp$ earliest:$earliest$ latest:$latest$</title>
        <search>
          <query>| tstats earliest(_time) as et latest(_time) as lt count where index=_internal | convert ctime(et) ctime(lt)</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
      </event>
    </panel>
  </row>
</dashboard>

When I test my view using: https://.. /test?mytimestamp=15273720000 the token $mytimestamp$ is filled while earliest and latest is displayed as "NaN".

When I edit the view, change something like add a whitespace in the simplexml and save, $earliest$ and $latest$ isn't filled correctly.

It looks like the init tokens can't be filled with passed tokens or not processed correctly? I tested this on v7.1.

Thanks for your help in advance,

Andreas

1 Solution

niketn
Legend

@schose, instead of <init>, use a dummy search to run based on the epoch time passed in the querystring and set the required relative earliest and latest time.

Following is the Run anywhere example of Destination dashboard where the dummy search sets the earliest and latest time based on epoch timestamp passed as input.

<yourAppNameGoesHere>/pass_timestamp_and_calculate_earliest_latest_in_new_dashboard.xml

<dashboard>
  <label>Pass Timestamp and calculate Earliest Latest in New Dashboard</label>
  <search>
    <query>| makeresults
    | eval _time=$mytimestamp|s$
    | eval earliest=relative_time(_time,"-1d@d")
    | eval latest=relative_time(_time,"+1d@d")
    </query>
    <done>
      <set token="tokEarliest">$result.earliest$</set>
      <set token="tokLatest">$result.latest$</set>
      <eval token="tokEarliestString">strftime($result.earliest$,"%Y/%m/%d %H:%M:%S %p")</eval>
      <eval token="tokLatestString">strftime($result.latest$,"%Y/%m/%d %H:%M:%S %p")</eval>
    </done>
  </search>
  <row>
    <panel>
      <table>
        <title>tokEarliest(string): $tokEarliestString$ - tokLatest(string): $tokLatestString$</title>
          <search>
            <query>index=_internal sourcetype=splunkd log_level!=INFO component!="Metrics" component!="PeriodicHealthChecker"
              | timechart count by component limit=5 useother=f
            </query>
            <earliest>$tokEarliest$</earliest>
            <latest>$tokLatest$</latest>
          </search>
      </table>
    </panel>
  </row>
</dashboard>

Following is a sample Source Dashboard code with drilldown. You can change the date here to test the values in destination dashboard.

<dashboard>
  <label>Pass time token Source Dashboard</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval _time=relative_time(_time,"-2d@d")</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <link target="_blank">/app/<yourAppNameGoesHere>/pass_timestamp_and_calculate_earliest_latest_in_new_dashboard?mytimestamp=$click.value$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

schose
Builder

works perfectly!

niketn
Legend

@schose, instead of <init>, use a dummy search to run based on the epoch time passed in the querystring and set the required relative earliest and latest time.

Following is the Run anywhere example of Destination dashboard where the dummy search sets the earliest and latest time based on epoch timestamp passed as input.

<yourAppNameGoesHere>/pass_timestamp_and_calculate_earliest_latest_in_new_dashboard.xml

<dashboard>
  <label>Pass Timestamp and calculate Earliest Latest in New Dashboard</label>
  <search>
    <query>| makeresults
    | eval _time=$mytimestamp|s$
    | eval earliest=relative_time(_time,"-1d@d")
    | eval latest=relative_time(_time,"+1d@d")
    </query>
    <done>
      <set token="tokEarliest">$result.earliest$</set>
      <set token="tokLatest">$result.latest$</set>
      <eval token="tokEarliestString">strftime($result.earliest$,"%Y/%m/%d %H:%M:%S %p")</eval>
      <eval token="tokLatestString">strftime($result.latest$,"%Y/%m/%d %H:%M:%S %p")</eval>
    </done>
  </search>
  <row>
    <panel>
      <table>
        <title>tokEarliest(string): $tokEarliestString$ - tokLatest(string): $tokLatestString$</title>
          <search>
            <query>index=_internal sourcetype=splunkd log_level!=INFO component!="Metrics" component!="PeriodicHealthChecker"
              | timechart count by component limit=5 useother=f
            </query>
            <earliest>$tokEarliest$</earliest>
            <latest>$tokLatest$</latest>
          </search>
      </table>
    </panel>
  </row>
</dashboard>

Following is a sample Source Dashboard code with drilldown. You can change the date here to test the values in destination dashboard.

<dashboard>
  <label>Pass time token Source Dashboard</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval _time=relative_time(_time,"-2d@d")</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <link target="_blank">/app/<yourAppNameGoesHere>/pass_timestamp_and_calculate_earliest_latest_in_new_dashboard?mytimestamp=$click.value$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...