Dashboards & Visualizations

Is there a way to pick a point in time (not a time range) using Simple XML?

Lowell
Super Champion

I'm looking for a SimpleXML form input that allows the user to pick a point in time rather than a time range (like the default time range picker does)?

Example use case: Determining who was given an IP address given DHCP lease events. For this kind of data, the event itself represents a "time range" (start/end times of the IP address lease) and I simply want to know who (which MAC address) was assigned that IP address at a specific point in time.

For efficiency, I'll want to use the users' time selection to drive the Splunk search timeframe (probably +/- 6 hours) from the time selected. And then within the search, only keep events where where the time in question (user's input) is between the least start and end time.

Any thoughts? I'm open to custom HTML snippets and javascript, but I'd like to avoid full-blown HTML dashboards if possible.

0 Karma

somesoni2
Revered Legend

Try something like this. Run anywhere sample. It basically a separate input(dropdown) for each timestamp part and the main query selects records +- 6 hours of the selected time. It also provides the selected time in epoch which you can use for further calculation, for your filter based on between start and end time

    <form>
  <label>Sample</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="year">
      <label>Year</label>
      <search>
        <query>| gentimes start=-1 | eval temp=mvrange(0,5) | table temp | mvexpand temp  | eval temp=tonumber(strftime(now(),"%Y"))-temp</query>
      </search>
      <fieldForLabel>temp</fieldForLabel>
      <fieldForValue>temp</fieldForValue>
    </input>
    <input type="dropdown" token="month" searchWhenChanged="true">
      <label>Month</label>
      <search>
        <query>| gentimes start=-1 | eval temp=mvrange(1,13) | table temp | mvexpand temp</query>
      </search>
      <fieldForLabel>temp</fieldForLabel>
      <fieldForValue>temp</fieldForValue>
    </input>
    <input type="dropdown" token="day" searchWhenChanged="true">
      <label>Day</label>
      <search>
        <query>| gentimes start=-1 | eval isleap=if($year$%4=0,1,0)
| eval limit=case($month$=1 OR $month$=3 OR $month$=5 OR $month$=7 OR $month$=8 OR $month$=10 OR $month$=12,32,$month$=2 AND isleap=1,30,$month$=2 AND isleap=0 ,29,1=1,31)| eval temp=mvrange(1,limit) | table temp | mvexpand temp</query>
        <earliest>0</earliest>
      </search>
      <fieldForLabel>temp</fieldForLabel>
      <fieldForValue>temp</fieldForValue>
    </input>
    <input type="dropdown" token="hour">
      <label>Hour</label>
      <search>
        <query>| gentimes start=-1 | eval temp=mvrange(0,24) | table temp | mvexpand temp</query>
      </search>
      <fieldForLabel>temp</fieldForLabel>
      <fieldForValue>temp</fieldForValue>
    </input>
    <input type="dropdown" token="min">
      <label>Minute</label>
      <search>
        <query>| gentimes start=-1 | eval temp=mvrange(0,60) | table temp | mvexpand temp</query>
      </search>
      <fieldForLabel>temp</fieldForLabel>
      <fieldForValue>temp</fieldForValue>
    </input>
    <input type="dropdown" token="sec">
      <label>Second</label>
      <search>
        <query>| gentimes start=-1 | eval temp=mvrange(0,60) | table temp | mvexpand temp</query>
      </search>
      <fieldForLabel>temp</fieldForLabel>
      <fieldForValue>temp</fieldForValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal [| gentimes start=-1 | eval timefield=strptime("$year$/$month$/$day$ $hour$:$min$:$sec$", "%Y/%m/%d %H:%M:%S") | eval earliest=timefield-21600 | eval latest=timefield+21600 | table earliest, latest | format "" "" "" "" "" "" ] | timechart count |eval timefield=strptime("$year$/$month$/$day$ $hour$:$min$:$sec$", "%Y/%m/%d %H:%M:%S")</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>       
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">50</option>
      </table>
    </panel>
  </row>
</form>

frobinson_splun
Splunk Employee
Splunk Employee

Hi @Lowell,
This isn't a complete answer but here are some initial thoughts:

Check out the "Dropdown Form Input Element" example in the Dashboard Examples app. It discusses populating an input dynamically based on your events. If you have some kind of time field in your events, I believe you could use it to populate choices in the input:
https://splunkbase.splunk.com/app/1603/

There are Simple XML elements, "fieldForLabel" and "fieldForValue", that allow you to populate the input choices dynamically:
http://docs.splunk.com/Documentation/Splunk/6.3.1511/Viz/PanelreferenceforSimplifiedXML#input_type_....

It might be possible to then use tokens to capture the selected value from the input and then set a time range for a search to run when that selection changes. Here is some documentation that might help:
http://docs.splunk.com/Documentation/Splunk/6.3.1511/Viz/tokens#Conditional_operations_with_form_inp...

Hope this helps you get started! Feel free to post additional questions and we can keep discussing.

0 Karma

Lowell
Super Champion

Hmm. Well there's way too many timestamp combinations to pre-populate a input or drop-down. The link to the conditions stuff may turn out to be helpful, thanks!

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!