Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Panel to display n days before data based upon time picker selected

irvanramuk
New Member
‎09-09-2019 09:27 PM

Hi,

Am trying to have two panels with one showing the data corresponding to the range selected in time picker and the other panel showing data for the same time range but 7 days earlier. Have tried using eval to assign the 7d time range into tokens (after searching online).

    <input type="time" token="Time_Range" >
      <label>Time</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
      <change>
        <eval token="weekearliest">relative_time(relative_time(time(), "$earliest$"), "-7d")</eval>
        <eval token="weeklatest">relative_time(relative_time(time(), "$latest$"), "-7d")</eval>
      </change>
    </input>

Have added the tokens initialized weekearliest and weeklatest as token based search in another panel but it doesnt seems to work, 

          <earliest>$weekearliest$</earliest>
          <latest>$weeklatest$</latest>

Can kindly provide pointers to check on how to implement them?

Tags (1)
0 Karma
Reply

maciep
Champion
‎09-15-2019 05:58 AM

Played with this on Splunk 7.1.x. I have always created a search, used addinfo to the earliest latest, manipulated them as needed and then created tokens to use elsewhere. But I like your approach too.

Anyway, I removed some quotes and added a check for the case when latest is now...because that didn't seem to work as a modifier in the relative_time() function. Also, you may need to account for the all time scenario too...

Here's a very simple dashboard that just shows the tokens in the title of an empty panel.

<form>
  <label>Timepicker Test</label>
  <fieldset>
    <input type="time" token="Time_Range" searchWhenChanged="true">
      <label>Time</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
      <change>
        <eval token="weekearliest">relative_time(relative_time(now(),$earliest$,-7d)</eval>
        <eval token="weeklatest">if($latest$="now",now(),relative_time(now(),$latest$)</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>$weekearliest$   $weeklatest$</title>
      <single>
        <search>
          <query/>
        </search>
      </single>
    </panel>
  </row>
</form>
0 Karma
Reply

Sukisen1981
Champion
‎09-10-2019 01:19 AM

your token is time_range, so your evals on change tags should look something like this relative_time(relative_time(time_range, "$earliest$"), "-7d")
<eval token="weeklatest">relative_time(relative_time(time_range, "$latest$"), "-7d")</eval>

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...