Dashboards & Visualizations

How to set the conditional time range to show only the data available

aditsss
Motivator

Hi Everyone,

I have one requirement.

I have several dashboards where default time range is set to last 7 days.

But the data is not there .

For one dashboard the data is there till 21st Feb 

For second dashboard the data is there till 26th Feb.

Is there any condition token that I can put in date/time dropdown that it will  first search for last 24 hours then for last 7 days then for last 30 days and will show the data in available range.

Like if data is there for 24 hours then it will display that otherwise if its available for last 7 days it will display that for if data is there in last 30 days it will display that.

Is that possible.

Can someone guide me on this.

Labels (3)
0 Karma

manjunathmeti
Champion

hi @aditsss,
You can use dashboard tokens to achieve this use case. In the below code, if there are no events for the last 24 hrs it sets the token last_7_days which searches the same query for the last 7 days. 

If there is no data for the last 7 days then it sets the token last_30_days which searches the same query for the last 30 days. 

<dashboard>
  <label>Dynamic_Time_Range</label>
  <init>
    <set token="last_24_hrs">true</set>
    <unset token="last_7_days"></unset>
    <unset token="last_30_days"></unset>
  </init>
  <row depends="$last_24_hrs$">
    <panel>
      <title>Last 24 hrs</title>
      <table>
        <search>
          <query>index=_internal sourcetype=abc | stats count by sourcetype, source</query>
          <earliest>-24h</earliest>
          <latest>now</latest>
          <done>
            <condition match="$job.resultCount$ == 0">
              <set token="last_7_days">true</set>
              <unset token="last_24_hrs"></unset>
            </condition>
          </done>
        </search>
      </table>
    </panel>
  </row>
  <row depends="$last_7_days$">
    <panel>
      <title>Last 7 days</title>
      <table>
        <search>
          <query>index=_internal | stats count by sourcetype, source</query>
          <earliest>-7d</earliest>
          <latest>now</latest>
          <done>
            <condition match="$job.resultCount$ == 0">
              <set token="last_30_days">true</set>
              <unset token="last_7_days"></unset>
            </condition>
          </done>
        </search>
      </table>
    </panel>
  </row>
  <row depends="$last_30_days$">
    <panel>
      <title>Last 30 days</title>
      <table>
        <search>
          <query>index=_internal | stats count by sourcetype, source</query>
          <earliest>-30d</earliest>
          <latest>now</latest>
        </search>
      </table>
    </panel>
  </row>
</dashboard>

 

If this reply helps you, an upvote/like would be appreciated.

  

0 Karma

aditsss
Motivator

@manjunathmeti 

Below is one of my dashboard query for one panel. 

How can I achieve this for below query:

<row>
<panel>
<chart>
<title>Overall Salesforce User Licenses</title>
<search>
<query>index="abc" sourcetype="xyz" $type$ TotalLicenses!=0 | lookup Org_Alias.csv OrgFolderName OUTPUT OrgName as OrgName | search $OrgName$ |dedup OrgFolderName, LicenseName, SalesforceOrgId |chart sum(TotalLicenses) as "Total Licenses" sum(UnusedLicenses) as "Unused Licenses" sum(UsedLicenses) as "Used Licenses" by LicenseName</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.text">Count</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.maximumNumber">999999</option>
<option name="charting.axisY.minimumNumber">0</option>
<option name="charting.axisY.scale">log</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">top</option>
<option name="height">400</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>

And this is my date/Time range drop down

<input type="time" token="field1" searchWhenChanged="true">
<label>Date/Time</label>
<default>
<earliest>-30d@d</earliest>
<latest>now</latest>
</default>
</input>

Can you guide me.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aditsss,

no, sorry, you can set only one default value for the Time Picker, eventually different for each dashboard, but only one for each.

If the data are concentrated, e.g. they are uploaded one day a week concentrated  in few minutes, you could use a different approach:

instead to use the Time Picher, you could search the latest presence of your data in a larger period (e.g. 30 days), finding the timestamp of your data and use that timestamp to take all you data, something like this.

<your_search> [ | metasearch <your_search> latest=now | head 1 | eval earliest=relative_time(_time,"-1h"), latest=relative_time(_time,"1h") | fields earliest latest ]

 Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...