Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Individual Time filter for each panel in dashboard

synastraa
Path Finder
‎04-03-2019 03:03 AM

Hi ,

I have currently created a time filter by following this guide which applies to all my panels in the dashboard.
https://www.splunk.com/blog/2016/09/16/i-cant-make-my-time-range-picker-pick.html

Now that I have a global time filter for all the dashboards, I was wondering if I could add in time filters for individual panels as well.

Have tried to add the time input in the individual panel itself but I have the following error when I placed the token in the individual query.

Would appreciate some advice. Thanks!alt text

Tags (1)
Preview file
1 KB
0 Karma
Reply

synastraa
Path Finder
‎04-11-2019 12:37 AM

Hi,

Still have not been able to get a solution for this. Is there anyone with a solution for this? Thanks!

0 Karma
Reply

vnravikumar
Champion
‎04-03-2019 08:14 PM

Hi

Try this

<form>
  <label>timepicker</label>
  <search id="basequery">
    <query>
      index=_internal |table _time,source,sourcetype
    </query>
    <earliest>$time1.earliest$</earliest>
    <latest>$time1.latest$</latest>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="time1">
      <label></label>
      <default>
        <earliest>@mon</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search base="basequery">
          <query>|eventstats count by source|dedup source |table _time,source,count</query>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <input type="time" token="time2">
        <label></label>
        <default>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </default>
      </input>
      <input type="text">
        <label>Earliest</label>
        <default>$toEarliest$</default>
      </input>
      <input type="text">
        <label>Latest</label>
        <default>$toLatest$</default>
      </input>
      <input type="dropdown" depends="$hide$">
        <search>
          <query>| makeresults</query>
          <earliest>$time2.earliest$</earliest>
          <latest>$time2.latest$</latest>
          <progress>
            <eval token="toEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
            <eval token="toLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
          </progress>
        </search>
      </input>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search base="basequery">
          <query>| eval earliest = $toEarliest$ | eval latest = if($toLatest$ &lt; 0,now(),$toLatest$)
          |  where _time &gt;=earliest AND _time &lt;=latest |eventstats count by source|dedup source |table _time,source,count</query>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply

synastraa
Path Finder
‎04-03-2019 08:57 PM

Hi vnravikumar,

Could you provide some explanation as I'm kind of new to splunk and have some trouble understanding how this works. Greatly appreciated. Thanks!

0 Karma
Reply

vnravikumar
Champion
‎04-03-2019 09:04 PM

Hi

As you know that we can't apply time pickers earliest and latest to the query that has used base query. For that, I had created dummy dropdown to get time2's earliest and latest token. Then I had used the same in the new panel.

0 Karma
Reply

synastraa
Path Finder
‎04-03-2019 09:45 PM

Hi

Have tried out the query and not sure if I am doing it right as it has return no results found. Thanks!
Have attached my query below. 

     <row>
     <panel>
       <input type="time" token="time1">
         <label></label>
         <default>
           <earliest>-24h@h</earliest>
           <latest>now</latest>
         </default>
       </input>
       <input type="dropdown" depends="$hide$">
         <search>
               <query>|makeresults </query>
           <earliest>$time1.earliest$</earliest>
           <latest>$time1.latest$</latest>
           <progress>
             <eval token="toEarliest">strptime($job.earliestTime$,"%Y-%m-%d%H:%M:%S.%Q")</eval>
             <eval token="toLatest">strptime($job.latestTime$,"%Y-%m-%d%H:%M:%S.%Q")</eval>
             <set token="jobEarliest">$job.earliestTime$</set>
             <set token="jobLatest">$job.latestTime$</set>
           </progress>
         </search>
       </input>
     </panel>
   </row>
  <row>
    <panel>
      <title>SLA Email Response Time Breached Rate %</title>
      <single>
        <search base="base_search">
          <query>|eval earliest = $toEarliest$ |eval latest = if($toLatest$ &lt;0,now(),$toLatest$)
           |where _time &gt;=earliest AND _time &lt;=latest
           |where reportedsource="Email"|stats count(eval(responsetime &gt;2)) as "Breached" ,  count(eval(reportedsource ="Email"))  as total_count  | eval percentage= round((Breached/total_count)*100,2) |eval Breached Rate=percentage| table "Breached Rate"</query>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0xf7bc38","0xf58f39","0xd93f3c"]</option>
        <option name="rangeValues">[50,80]</option>
        <option name="refresh.display">preview</option>
        <option name="unit">%</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
      </single>
    </panel>
0 Karma
Reply

vnravikumar
Champion
‎04-03-2019 09:54 PM

Hi

Do you have a record for that duration, can you please remove those condition and check.

0 Karma
Reply

synastraa
Path Finder
‎04-03-2019 10:00 PM

Hi ,

Yes I have records in that duration, have also tried all time but it still shows no results found. Thanks

0 Karma
Reply

vnravikumar
Champion
‎04-03-2019 10:45 PM

Can you debug and check the values of two new tokens. like

      <input type="text">
        <label>Earliest</label>
        <default>$toEarliest$</default>
      </input>
      <input type="text">
        <label>Latest</label>
        <default>$toLatest$</default>
      </input>
0 Karma
Reply

synastraa
Path Finder
‎04-03-2019 11:53 PM

Hi ,

I have attached a screenshot of what I am seeing.
https://imgur.com/a/JWC77Tc

0 Karma
Reply

FrankVl
Ultra Champion
‎04-03-2019 03:41 AM

Those properties must be before the closing </search> tag.

Edit: oh, and what @vnravikumar says in his comment.

0 Karma
Reply

vnravikumar
Champion
‎04-03-2019 03:41 AM

Hi

If you use base query you can't use the earliest and latest token there.

0 Karma
Reply

synastraa
Path Finder
‎04-03-2019 07:19 PM

@vnravikumar

Yes I have a base query in my code. Is there still any approach I could take to do up individual time filters with a base query while keeping my global filter that filters everything together? Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...