Solved: Need help in populating the time ranges in dropdow...

renjujacob88 · ‎03-30-2017

Hi

I need help in populating the time range values like first week , 2 week , 3 week and 4 week in dropdown box...

My requirement is to display the number of failed login attempts day wise for the first week , second week third week and fourth week which i can be selected from dropbox

Query :sourcetype=WinEventLog:Security EventCode=4625| timechart span=1d count

snapshot given below

splunk XML given below

But i'm not able to populate the values.
1 week should be from 1 to 7th day
2 nd week from 8 to 14th day
3rd week 15 to 21th day
4 week 22 to 29

How can i populate the values in dashboard . is there any other way i can populate .Any help ?

somesoni2 · ‎03-30-2017

Since these are custom time ranges that you define for a month, you can either create a custom dropdown (not the traditional time range picker) with those as static values OR use the 'Advanced' section in the traditional time range picker. In both case these should be earliest and latest (assuming your run for current month)

Week1 -  Earliest: @mon , latest: @mon+7d
Week1 -  Earliest: @mon+8d, latest: @mon+14d
Week1 -  Earliest: @mon+15d, latest: @mon+21d
Week1 -  Earliest: @mon+22d, latest: @mon+29d

View solution in original post

nfilippi_splunk · ‎03-30-2017

you can also do something like this:

  <input type="dropdown" token="simple">
    <label>Simple Time Picker</label>
    <choice value="last_24h">Last 24 Hours</choice>
    <choice value="last_7d">Last 7 days</choice>
    <choice value="last_30d">Last 30 days</choice>
    <default>last_24h</default>
    <change>
      <condition value="last_24h">
        <set token="simple.label">$label$</set>
        <set token="simple.earliest">-24h</set>
        <set token="simple.latest">now</set>
      </condition>
      <condition value="last_7d">
        <set token="simple.label">$label$</set>
        <set token="simple.earliest">-7d</set>
        <set token="simple.latest">now</set>
      </condition>
      <condition value="last_30d">
        <set token="simple.label">$label$</set>
        <set token="simple.earliest">-30d</set>
        <set token="simple.latest">now</set>
      </condition>
    </change>
  </input>

renjujacob88 · ‎03-30-2017

Thanks @nfilippi for your query , and its working fine

somesoni2 · ‎03-30-2017

Since these are custom time ranges that you define for a month, you can either create a custom dropdown (not the traditional time range picker) with those as static values OR use the 'Advanced' section in the traditional time range picker. In both case these should be earliest and latest (assuming your run for current month)

Week1 -  Earliest: @mon , latest: @mon+7d
Week1 -  Earliest: @mon+8d, latest: @mon+14d
Week1 -  Earliest: @mon+15d, latest: @mon+21d
Week1 -  Earliest: @mon+22d, latest: @mon+29d

renjujacob88 · ‎03-30-2017

Hi Somesoni 2: Thanks for the help

xml looks like this and this is working

test windows 3

<panel>
  <input type="dropdown" token="earliest_tok">
    <label>field1</label>
    <choice value="@mon&quot;  latest=&quot;@mon+7d">Week 1</choice>
    <choice value="@mon+8d&quot; latest=&quot;@mon+14d">Week2</choice>
    <prefix>earliest="</prefix>
    <suffix>"</suffix>
  </input>
  <chart>
    <search>
      <query>sourcetype=WinEventLog:Security  $earliest_tok$ EventCode=4624| timechart span=1d count</query>
      <earliest>0</earliest>
      <latest></latest>
    </search>
    <option name="charting.chart">column</option>
  </chart>
</panel>

Need help in populating the time ranges in dropdown box

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk