Dashboards & Visualizations

Individual Time filter for each panel in dashboard

synastraa
Path Finder

Hi ,

I have currently created a time filter by following this guide which applies to all my panels in the dashboard.
https://www.splunk.com/blog/2016/09/16/i-cant-make-my-time-range-picker-pick.html

Now that I have a global time filter for all the dashboards, I was wondering if I could add in time filters for individual panels as well.

Have tried to add the time input in the individual panel itself but I have the following error when I placed the token in the individual query.

Would appreciate some advice. Thanks!alt text

Tags (1)
0 Karma

synastraa
Path Finder

Hi,

Still have not been able to get a solution for this. Is there anyone with a solution for this? Thanks!

0 Karma

vnravikumar
Champion

Hi

Try this

<form>
  <label>timepicker</label>
  <search id="basequery">
    <query>
      index=_internal |table _time,source,sourcetype
    </query>
    <earliest>$time1.earliest$</earliest>
    <latest>$time1.latest$</latest>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="time1">
      <label></label>
      <default>
        <earliest>@mon</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search base="basequery">
          <query>|eventstats count by source|dedup source |table _time,source,count</query>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <input type="time" token="time2">
        <label></label>
        <default>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </default>
      </input>
      <input type="text">
        <label>Earliest</label>
        <default>$toEarliest$</default>
      </input>
      <input type="text">
        <label>Latest</label>
        <default>$toLatest$</default>
      </input>
      <input type="dropdown" depends="$hide$">
        <search>
          <query>| makeresults</query>
          <earliest>$time2.earliest$</earliest>
          <latest>$time2.latest$</latest>
          <progress>
            <eval token="toEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
            <eval token="toLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
          </progress>
        </search>
      </input>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search base="basequery">
          <query>| eval earliest = $toEarliest$ | eval latest = if($toLatest$ &lt; 0,now(),$toLatest$)
          |  where _time &gt;=earliest AND _time &lt;=latest |eventstats count by source|dedup source |table _time,source,count</query>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
0 Karma

synastraa
Path Finder

Hi vnravikumar,

Could you provide some explanation as I'm kind of new to splunk and have some trouble understanding how this works. Greatly appreciated. Thanks!

0 Karma

vnravikumar
Champion

Hi

As you know that we can't apply time pickers earliest and latest to the query that has used base query. For that, I had created dummy dropdown to get time2's earliest and latest token. Then I had used the same in the new panel.

0 Karma

synastraa
Path Finder

Hi

Have tried out the query and not sure if I am doing it right as it has return no results found. Thanks!
Have attached my query below.

     <row>
     <panel>
       <input type="time" token="time1">
         <label></label>
         <default>
           <earliest>-24h@h</earliest>
           <latest>now</latest>
         </default>
       </input>
       <input type="dropdown" depends="$hide$">
         <search>
               <query>|makeresults </query>
           <earliest>$time1.earliest$</earliest>
           <latest>$time1.latest$</latest>
           <progress>
             <eval token="toEarliest">strptime($job.earliestTime$,"%Y-%m-%d%H:%M:%S.%Q")</eval>
             <eval token="toLatest">strptime($job.latestTime$,"%Y-%m-%d%H:%M:%S.%Q")</eval>
             <set token="jobEarliest">$job.earliestTime$</set>
             <set token="jobLatest">$job.latestTime$</set>
           </progress>
         </search>
       </input>
     </panel>
   </row>
  <row>
    <panel>
      <title>SLA Email Response Time Breached Rate %</title>
      <single>
        <search base="base_search">
          <query>|eval earliest = $toEarliest$ |eval latest = if($toLatest$ &lt;0,now(),$toLatest$)
           |where _time &gt;=earliest AND _time &lt;=latest
           |where reportedsource="Email"|stats count(eval(responsetime &gt;2)) as "Breached" ,  count(eval(reportedsource ="Email"))  as total_count  | eval percentage= round((Breached/total_count)*100,2) |eval Breached Rate=percentage| table "Breached Rate"</query>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0xf7bc38","0xf58f39","0xd93f3c"]</option>
        <option name="rangeValues">[50,80]</option>
        <option name="refresh.display">preview</option>
        <option name="unit">%</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
      </single>
    </panel>
0 Karma

vnravikumar
Champion

Hi

Do you have a record for that duration, can you please remove those condition and check.

0 Karma

synastraa
Path Finder

Hi ,

Yes I have records in that duration, have also tried all time but it still shows no results found. Thanks

0 Karma

vnravikumar
Champion

Can you debug and check the values of two new tokens. like

      <input type="text">
        <label>Earliest</label>
        <default>$toEarliest$</default>
      </input>
      <input type="text">
        <label>Latest</label>
        <default>$toLatest$</default>
      </input>
0 Karma

synastraa
Path Finder

Hi ,

I have attached a screenshot of what I am seeing.
https://imgur.com/a/JWC77Tc

0 Karma

FrankVl
Ultra Champion

Those properties must be before the closing </search> tag.

Edit: oh, and what @vnravikumar says in his comment.

0 Karma

vnravikumar
Champion

Hi

If you use base query you can't use the earliest and latest token there.

0 Karma

synastraa
Path Finder

@vnravikumar

Yes I have a base query in my code. Is there still any approach I could take to do up individual time filters with a base query while keeping my global filter that filters everything together? Thanks!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...