Solved: Manipulating time token with a comparison in dashb...

Shahindoh · ‎06-16-2021

Hi there,

I'm quite new to Splunk so sorry in advance if I'm asking a silly question.
I'm trying to modify token selected by user with time picker earliest / latest to have -5 days / +5 days that I'm then using in epoch format in my search combined with info-min-time / info_max_time.

So far, following other topics and knowledge base I've been able to get it down, except when the user selects "All time" in time picker which ends up having a earliest token with a negative value.

I'm doing the following at the beginning of my dashboard and then using TimeRange.earliest_epoch / TimeRange.latest_epoch in my panels.

 <input type="time" token="TimeRange">
      <label>TimeRange</label>
      <default>
        <earliest>0</earliest>
        <latest></latest>
      </default>
      <change>
        <eval token="TimeRange.earliest_epoch">if(isnum('earliest'),'earliest',relative_time(now(),'earliest')-432000</eval>
                <eval token="TimeRange.latest_epoch">if(isnum('latest'),'latest',relative_time(now(),'latest')+432000</eval>
      </change>
    </input>

I added a table panel to display the values of the tokens to see what's happening exactly :

<row>
    <panel>
      <table>
        <title>testDates</title>
        <search>
          <query>| makeresults 
| eval StartTimestamp0="$TimeRange.earliest$"
| eval StartTimestamp1=$TimeRange.earliest_epoch$
| eval starttime=strftime(StartTimestamp1,"%Y-%m-%d %H:%M:%S.%Q")</query>
          <earliest>$TimeRange.earliest$</earliest>
          <latest>$TimeRange.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>

No surprise, when selecting "All time" it gave me :

StartTimestamp0 = 0

StartTimestamp1 = -432000

Which is making my subsequent searchs in panels to fail.

I don't manage to catch the case where earliest = 0 before assigning value to TimeRange.earliest_epoch or check if second token equals -432000 to assign a different value (1514764800 in this case as this is a safe old date for my dataset).

All my attempts failed, such as adding a second token where I checked if equal -432000 or below 0 :

        <eval token="TimeRange.earliest_epoch2">if('TimeRange.earliest_epoch'=='-432000','1514764800','TimeRange.earliest_epoch')</eval>

or

<eval token="TimeRange.earliest_epoch2">if('TimeRange.earliest_epoch'&lt;'0','1514764800','TimeRange.earliest_epoch')</eval>

The second token kept the value of TimeRange.earliest_epoch. I added an imbricated if condition in the first token eval and again it looks like it goes to else case everytime.

Can you please help me understand what is failing ?

Thanks in advance !

richgalloway · ‎06-16-2021

A second token shouldn't be needed. Just use max to keep the token from getting a negative value.

<eval token="TimeRange.earliest_epoch">max(0,if(isnum('earliest'),'earliest',relative_time(now(),'earliest')-432000)</eval>

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎06-16-2021

A second token shouldn't be needed. Just use max to keep the token from getting a negative value.

<eval token="TimeRange.earliest_epoch">max(0,if(isnum('earliest'),'earliest',relative_time(now(),'earliest')-432000)</eval>

---
If this reply helps you, Karma would be appreciated.

Shahindoh · ‎06-16-2021

Thank you so much !

Quite simple and elegant and it gave me headaches for 2 days 😉

Any idea why I couldn't make some simple numeric comparison / evaluation in my XML ?

richgalloway · ‎06-16-2021

TBH, I didn't really look once I though of a solution.

---
If this reply helps you, Karma would be appreciated.

Manipulating time token with a comparison in dashboard

token

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!

Enterprise Security Content Update (ESCU) | New Releases