Dashboards & Visualizations

Is it possible to override a base search <earliest> and <latest> fields?

J1883R15H
Engager

I have a dashboard where all the panels use the same base search. I now want to add another panel that uses the same base search query, but that specifies a different time range to what is used elsewhere. 

Is it possible to override the <earliest> and <latest> nodes that are specified in my base search?

The time range i want to use is outside of that in my base search.

I get the validation warning:

Unknown node <latest>

Node <latest> is not allowed here

 

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

Basically it's doable, but it needs some additional checks etc. Here is a concept how it can do:

<form>
  <label>two timeframe</label>
  <search id="basesearch">
    <query>
      <![CDATA[
    index=_internal source=*splunkd.log
]]>
    </query>
    <earliest>$timeTotal.earliest$</earliest>
    <latest>$timeTotal.latest$</latest>
    <sampleRatio>1</sampleRatio>
  </search>
  <search base="basesearch" id="base1">
    <query><![CDATA[
    | where _time > relative_time(now(),"$time1.earliest$") AND _time < relative_time(now(),"$time1.latest$")
    ]]></query>
  </search>
  <search base="basesearch" id="base2">
    <query><![CDATA[
     | where _time > relative_time(now(),"$time2.earliest$") AND _time < relative_time(now(),"$time2.latest$")
    ]]></query>
  </search>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="timeTotal">
      <label>Time Total</label>
      <default>
        <earliest>-1h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="time" token="time1">
      <label>Time slot  1</label>
      <default>
        <earliest>-60m@m</earliest>
        <latest>-30m@m</latest>
      </default>
    </input>
    <input type="time" token="time2">
      <label>Time slot 2</label>
      <default>
        <earliest>-30m@m</earliest>
        <latest>-1s@s</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <title>first timeframe</title>
        <search base="base1">
          <query>
| timechart count by sourcetype</query>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>second timeframe</title>
        <search base="base2">
          <query>
| timechart count by sourcetype</query>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
</form>

 

r.  Ismo

View solution in original post

to4kawa
Ultra Champion

sample:

 

 

<dashboard>
  <label>two timeframe</label>
  <search id="basesearch">
    <query>index=_internal (earliest=-6h latest=-5h) OR (earliest=-2h latest=-1h)
| eval timeflag=if(_time &gt;= relative_time(now(),"-2h@h"),"first","second")</query>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
    <sampleRatio>1</sampleRatio>
  </search>
  <row>
    <panel>
      <chart>
        <title>first timeframe</title>
        <search base="basesearch">
          <query>| where timeflag="first"
| timechart count by sourcetype</query>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>second timeframe</title>
        <search base="basesearch">
          <query>| where timeflag="second"
| timechart count by sourcetype</query>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
</dashboard>

 

 

You can't use a time picker, but it's doable.

reference: https://community.splunk.com/t5/Dashboards-Visualizations/How-to-add-a-second-token-to-narrow-the-dr...

richgalloway
SplunkTrust
SplunkTrust
I agree with @gcusello. If the base search doesn't meet your needs then you need a separate search.
---
If this reply helps you, Karma would be appreciated.
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @J1883R15H ,

I don't think so: I had the same problem and I used two basesearches.

Ciao.

Giuseppe

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

haven’t try it and no splunk node on my hand now, but (some times) one base search with wider time span and then two sub base searches which use that main base search with different time spans inside main span?

r. Ismo

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

Basically it's doable, but it needs some additional checks etc. Here is a concept how it can do:

<form>
  <label>two timeframe</label>
  <search id="basesearch">
    <query>
      <![CDATA[
    index=_internal source=*splunkd.log
]]>
    </query>
    <earliest>$timeTotal.earliest$</earliest>
    <latest>$timeTotal.latest$</latest>
    <sampleRatio>1</sampleRatio>
  </search>
  <search base="basesearch" id="base1">
    <query><![CDATA[
    | where _time > relative_time(now(),"$time1.earliest$") AND _time < relative_time(now(),"$time1.latest$")
    ]]></query>
  </search>
  <search base="basesearch" id="base2">
    <query><![CDATA[
     | where _time > relative_time(now(),"$time2.earliest$") AND _time < relative_time(now(),"$time2.latest$")
    ]]></query>
  </search>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="timeTotal">
      <label>Time Total</label>
      <default>
        <earliest>-1h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="time" token="time1">
      <label>Time slot  1</label>
      <default>
        <earliest>-60m@m</earliest>
        <latest>-30m@m</latest>
      </default>
    </input>
    <input type="time" token="time2">
      <label>Time slot 2</label>
      <default>
        <earliest>-30m@m</earliest>
        <latest>-1s@s</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <title>first timeframe</title>
        <search base="base1">
          <query>
| timechart count by sourcetype</query>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>second timeframe</title>
        <search base="base2">
          <query>
| timechart count by sourcetype</query>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
</form>

 

r.  Ismo

to4kawa
Ultra Champion

Hi @isoutamo 
your 

<![CDATA[ ... ]]>

usage is nice. I'll use it.  

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...