Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Panel to display n days before data based upon...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Panel to display n days before data based upon time picker selected
Hi,
Am trying to have two panels with one showing the data corresponding to the range selected in time picker and the other panel showing data for the same time range but 7 days earlier. Have tried using eval to assign the 7d time range into tokens (after searching online).
<input type="time" token="Time_Range" >
<label>Time</label>
<default>
<earliest>-15m</earliest>
<latest>now</latest>
</default>
<change>
<eval token="weekearliest">relative_time(relative_time(time(), "$earliest$"), "-7d")</eval>
<eval token="weeklatest">relative_time(relative_time(time(), "$latest$"), "-7d")</eval>
</change>
</input>
Have added the tokens initialized weekearliest and weeklatest as token based search in another panel but it doesnt seems to work,
<earliest>$weekearliest$</earliest>
<latest>$weeklatest$</latest>
Can kindly provide pointers to check on how to implement them?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Played with this on Splunk 7.1.x. I have always created a search, used addinfo to the earliest latest, manipulated them as needed and then created tokens to use elsewhere. But I like your approach too.
Anyway, I removed some quotes and added a check for the case when latest is now...because that didn't seem to work as a modifier in the relative_time() function. Also, you may need to account for the all time scenario too...
Here's a very simple dashboard that just shows the tokens in the title of an empty panel.
<form>
<label>Timepicker Test</label>
<fieldset>
<input type="time" token="Time_Range" searchWhenChanged="true">
<label>Time</label>
<default>
<earliest>-15m</earliest>
<latest>now</latest>
</default>
<change>
<eval token="weekearliest">relative_time(relative_time(now(),$earliest$,-7d)</eval>
<eval token="weeklatest">if($latest$="now",now(),relative_time(now(),$latest$)</eval>
</change>
</input>
</fieldset>
<row>
<panel>
<title>$weekearliest$ $weeklatest$</title>
<single>
<search>
<query/>
</search>
</single>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
your token is time_range, so your evals on change tags should look something like this relative_time(relative_time(time_range, "$earliest$"), "-7d")
<eval token="weeklatest">relative_time(relative_time(time_range, "$latest$"), "-7d")</eval>
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
