Solved: Re: Problem in enhancing search range by a Day bef... - Splunk Community

Dashboards & Visualizations

I am creating a dashboard which shows results based on search range.

Problem Statement :
1. user fills a form in the web application.
2. Logs into Splunk dashboard and looks for logs by choosing "today" in time picker
3. no results comes up as the logs were tagged under a day before time stamp.
4. when user changes time to yesterday or last 2 days, results are shown.

So I want to enhance the user search range + 1 day before in the back end. I tried to do but it is is not working as expected.

What I tried:

Time picker:

25 KB

1 Solution

Solution

@bharathdoitnow, you would need to pass on the Time input tokens to a dummy search and then use $job.earliestTime$
which is default token for <search> handler. PS: As per your question you need to show -24h data along with selected time range, which means you don't need to adjust latest time just the earliest time. You can also refer to my previous answer for details (one more solution approach using addinfo https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html)

Please try the following run anywhere dashboard and confirm:

<form>
  <label>Adjust Search Earliest Time</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <search>
    <query>| makeresults
    </query>
    <done>
      <set token="tokAdjustedEarliestTimeString">$job.earliestTime$</set>
      <eval token="tokAdjustedEarliestTimeEpoch">relative_time(strptime($job.earliestTime$,"%Y/%m/%dT%H:%M:%S"),"-24h")</eval>
    </done>
    <earliest>$tokTime.earliest$</earliest>
    <latest>$tokTime.latest$</latest>
  </search>
  <row>
    <panel>
      <title>tokAdjustedEarliestTimeString: "$tokAdjustedEarliestTimeString$" | tokAdjustedEarliestTimeEpoch= "$tokAdjustedEarliestTimeEpoch$"</title>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!=INFO
          | timechart count</query>
          <earliest>$tokAdjustedEarliestTimeEpoch$</earliest>
          <latest>$tokTime.latest$</latest>          
        </search>
      </table>
    </panel>
  </row>
</form>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Solution

@bharathdoitnow, you would need to pass on the Time input tokens to a dummy search and then use $job.earliestTime$
which is default token for <search> handler. PS: As per your question you need to show -24h data along with selected time range, which means you don't need to adjust latest time just the earliest time. You can also refer to my previous answer for details (one more solution approach using addinfo https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html)

Please try the following run anywhere dashboard and confirm:

<form>
  <label>Adjust Search Earliest Time</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <search>
    <query>| makeresults
    </query>
    <done>
      <set token="tokAdjustedEarliestTimeString">$job.earliestTime$</set>
      <eval token="tokAdjustedEarliestTimeEpoch">relative_time(strptime($job.earliestTime$,"%Y/%m/%dT%H:%M:%S"),"-24h")</eval>
    </done>
    <earliest>$tokTime.earliest$</earliest>
    <latest>$tokTime.latest$</latest>
  </search>
  <row>
    <panel>
      <title>tokAdjustedEarliestTimeString: "$tokAdjustedEarliestTimeString$" | tokAdjustedEarliestTimeEpoch= "$tokAdjustedEarliestTimeEpoch$"</title>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!=INFO
          | timechart count</query>
          <earliest>$tokAdjustedEarliestTimeEpoch$</earliest>
          <latest>$tokTime.latest$</latest>          
        </search>
      </table>
    </panel>
  </row>
</form>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

@bharathdoitnow, have you tried the run anywhere dashboard above.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Thank you @Niketnilay, It looks very easy now. I am trying it out today....

@bharathdoitnow, sure if it makes sense surely it would work. Try out and confirm! All the best 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

@niketnilay Thank you for the answer.. It worked and Solved my Major issue to search with a standard Timestamp.

@bharathdoitnow, if it worked for you please dont forget to accept the answers and up vote the comments that helped!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

@bharathdoitnow stumbled on this old post. If your issue was resolved kindly accept this answer to mark the question as answered and assist others facing similar issue! 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

     <earliest>$shared_time.earliest$-24h</earliest> earliest time in screenshot was a typo, anyway thats not a working solution.

Get Updates on the Splunk Community!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here! The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...