Hi ,
I have currently created a time filter by following this guide which applies to all my panels in the dashboard.
https://www.splunk.com/blog/2016/09/16/i-cant-make-my-time-range-picker-pick.html
Now that I have a global time filter for all the dashboards, I was wondering if I could add in time filters for individual panels as well.
Have tried to add the time input in the individual panel itself but I have the following error when I placed the token in the individual query.
Would appreciate some advice. Thanks!
Hi,
Still have not been able to get a solution for this. Is there anyone with a solution for this? Thanks!
Hi
Try this
<form>
<label>timepicker</label>
<search id="basequery">
<query>
index=_internal |table _time,source,sourcetype
</query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
</search>
<fieldset submitButton="false">
<input type="time" token="time1">
<label></label>
<default>
<earliest>@mon</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search base="basequery">
<query>|eventstats count by source|dedup source |table _time,source,count</query>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<input type="time" token="time2">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="text">
<label>Earliest</label>
<default>$toEarliest$</default>
</input>
<input type="text">
<label>Latest</label>
<default>$toLatest$</default>
</input>
<input type="dropdown" depends="$hide$">
<search>
<query>| makeresults</query>
<earliest>$time2.earliest$</earliest>
<latest>$time2.latest$</latest>
<progress>
<eval token="toEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
<eval token="toLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
</progress>
</search>
</input>
</panel>
</row>
<row>
<panel>
<table>
<search base="basequery">
<query>| eval earliest = $toEarliest$ | eval latest = if($toLatest$ < 0,now(),$toLatest$)
| where _time >=earliest AND _time <=latest |eventstats count by source|dedup source |table _time,source,count</query>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
Hi vnravikumar,
Could you provide some explanation as I'm kind of new to splunk and have some trouble understanding how this works. Greatly appreciated. Thanks!
Hi
As you know that we can't apply time pickers earliest and latest to the query that has used base query. For that, I had created dummy dropdown to get time2's earliest and latest token. Then I had used the same in the new panel.
Hi
Have tried out the query and not sure if I am doing it right as it has return no results found. Thanks!
Have attached my query below.
<row>
<panel>
<input type="time" token="time1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" depends="$hide$">
<search>
<query>|makeresults </query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
<progress>
<eval token="toEarliest">strptime($job.earliestTime$,"%Y-%m-%d%H:%M:%S.%Q")</eval>
<eval token="toLatest">strptime($job.latestTime$,"%Y-%m-%d%H:%M:%S.%Q")</eval>
<set token="jobEarliest">$job.earliestTime$</set>
<set token="jobLatest">$job.latestTime$</set>
</progress>
</search>
</input>
</panel>
</row>
<row>
<panel>
<title>SLA Email Response Time Breached Rate %</title>
<single>
<search base="base_search">
<query>|eval earliest = $toEarliest$ |eval latest = if($toLatest$ <0,now(),$toLatest$)
|where _time >=earliest AND _time <=latest
|where reportedsource="Email"|stats count(eval(responsetime >2)) as "Breached" , count(eval(reportedsource ="Email")) as total_count | eval percentage= round((Breached/total_count)*100,2) |eval Breached Rate=percentage| table "Breached Rate"</query>
</search>
<option name="colorMode">block</option>
<option name="drilldown">none</option>
<option name="rangeColors">["0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[50,80]</option>
<option name="refresh.display">preview</option>
<option name="unit">%</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
</single>
</panel>
Hi
Do you have a record for that duration, can you please remove those condition and check.
Hi ,
Yes I have records in that duration, have also tried all time but it still shows no results found. Thanks
Can you debug and check the values of two new tokens. like
<input type="text">
<label>Earliest</label>
<default>$toEarliest$</default>
</input>
<input type="text">
<label>Latest</label>
<default>$toLatest$</default>
</input>
Hi ,
I have attached a screenshot of what I am seeing.
https://imgur.com/a/JWC77Tc
Those properties must be before the closing </search>
tag.
Edit: oh, and what @vnravikumar says in his comment.
Hi
If you use base query you can't use the earliest and latest token there.
@vnravikumar
Yes I have a base query in my code. Is there still any approach I could take to do up individual time filters with a base query while keeping my global filter that filters everything together? Thanks!