Dashboards & Visualizations

Problem in enhancing search range by a Day before than actual selected range, ex : if user selects today, show today+yesterday results.

bharathdoitnow
New Member

I am creating a dashboard which shows results based on search range.

Problem Statement :
1. user fills a form in the web application.
2. Logs into Splunk dashboard and looks for logs by choosing "today" in time picker
3. no results comes up as the logs were tagged under a day before time stamp.
4. when user changes time to yesterday or last 2 days, results are shown.

So I want to enhance the user search range + 1 day before in the back end. I tried to do but it is is not working as expected.

What I tried:

Time picker:
alt text

0 Karma
1 Solution

niketn
Legend

@bharathdoitnow, you would need to pass on the Time input tokens to a dummy search and then use $job.earliestTime$
which is default token for <search> handler. PS: As per your question you need to show -24h data along with selected time range, which means you don't need to adjust latest time just the earliest time. You can also refer to my previous answer for details (one more solution approach using addinfo https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html)

Please try the following run anywhere dashboard and confirm:

<form>
  <label>Adjust Search Earliest Time</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <search>
    <query>| makeresults
    </query>
    <done>
      <set token="tokAdjustedEarliestTimeString">$job.earliestTime$</set>
      <eval token="tokAdjustedEarliestTimeEpoch">relative_time(strptime($job.earliestTime$,"%Y/%m/%dT%H:%M:%S"),"-24h")</eval>
    </done>
    <earliest>$tokTime.earliest$</earliest>
    <latest>$tokTime.latest$</latest>
  </search>
  <row>
    <panel>
      <title>tokAdjustedEarliestTimeString: "$tokAdjustedEarliestTimeString$" | tokAdjustedEarliestTimeEpoch= "$tokAdjustedEarliestTimeEpoch$"</title>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!=INFO
          | timechart count</query>
          <earliest>$tokAdjustedEarliestTimeEpoch$</earliest>
          <latest>$tokTime.latest$</latest>          
        </search>
      </table>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@bharathdoitnow, you would need to pass on the Time input tokens to a dummy search and then use $job.earliestTime$
which is default token for <search> handler. PS: As per your question you need to show -24h data along with selected time range, which means you don't need to adjust latest time just the earliest time. You can also refer to my previous answer for details (one more solution approach using addinfo https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html)

Please try the following run anywhere dashboard and confirm:

<form>
  <label>Adjust Search Earliest Time</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <search>
    <query>| makeresults
    </query>
    <done>
      <set token="tokAdjustedEarliestTimeString">$job.earliestTime$</set>
      <eval token="tokAdjustedEarliestTimeEpoch">relative_time(strptime($job.earliestTime$,"%Y/%m/%dT%H:%M:%S"),"-24h")</eval>
    </done>
    <earliest>$tokTime.earliest$</earliest>
    <latest>$tokTime.latest$</latest>
  </search>
  <row>
    <panel>
      <title>tokAdjustedEarliestTimeString: "$tokAdjustedEarliestTimeString$" | tokAdjustedEarliestTimeEpoch= "$tokAdjustedEarliestTimeEpoch$"</title>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!=INFO
          | timechart count</query>
          <earliest>$tokAdjustedEarliestTimeEpoch$</earliest>
          <latest>$tokTime.latest$</latest>          
        </search>
      </table>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@bharathdoitnow, have you tried the run anywhere dashboard above.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

bharathdoitnow
New Member

Thank you @Niketnilay, It looks very easy now. I am trying it out today....

0 Karma

niketn
Legend

@bharathdoitnow, sure if it makes sense surely it would work. Try out and confirm! All the best 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

bharathdoitnow
New Member

@niketnilay Thank you for the answer.. It worked and Solved my Major issue to search with a standard Timestamp.

0 Karma

niketn
Legend

@bharathdoitnow, if it worked for you please dont forget to accept the answers and up vote the comments that helped!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@bharathdoitnow stumbled on this old post. If your issue was resolved kindly accept this answer to mark the question as answered and assist others facing similar issue! 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

bharathdoitnow
New Member
     <earliest>$shared_time.earliest$-24h</earliest> earliest time in screenshot was a typo, anyway thats not a working solution.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...