I am creating a dashboard which shows results based on search range.
Problem Statement :
1. user fills a form in the web application.
2. Logs into Splunk dashboard and looks for logs by choosing "today" in time picker
3. no results comes up as the logs were tagged under a day before time stamp.
4. when user changes time to yesterday or last 2 days, results are shown.
So I want to enhance the user search range + 1 day before in the back end. I tried to do but it is is not working as expected.
What I tried:
Time picker:
@bharathdoitnow, you would need to pass on the Time input tokens to a dummy search and then use $job.earliestTime$
which is default token for <search>
handler. PS: As per your question you need to show -24h
data along with selected time range, which means you don't need to adjust latest
time just the earliest
time. You can also refer to my previous answer for details (one more solution approach using addinfo
https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html)
Please try the following run anywhere dashboard and confirm:
<form>
<label>Adjust Search Earliest Time</label>
<fieldset submitButton="false">
<input type="time" token="tokTime">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<search>
<query>| makeresults
</query>
<done>
<set token="tokAdjustedEarliestTimeString">$job.earliestTime$</set>
<eval token="tokAdjustedEarliestTimeEpoch">relative_time(strptime($job.earliestTime$,"%Y/%m/%dT%H:%M:%S"),"-24h")</eval>
</done>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
</search>
<row>
<panel>
<title>tokAdjustedEarliestTimeString: "$tokAdjustedEarliestTimeString$" | tokAdjustedEarliestTimeEpoch= "$tokAdjustedEarliestTimeEpoch$"</title>
<table>
<search>
<query>index=_internal sourcetype=splunkd log_level!=INFO
| timechart count</query>
<earliest>$tokAdjustedEarliestTimeEpoch$</earliest>
<latest>$tokTime.latest$</latest>
</search>
</table>
</panel>
</row>
</form>
@bharathdoitnow, you would need to pass on the Time input tokens to a dummy search and then use $job.earliestTime$
which is default token for <search>
handler. PS: As per your question you need to show -24h
data along with selected time range, which means you don't need to adjust latest
time just the earliest
time. You can also refer to my previous answer for details (one more solution approach using addinfo
https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html)
Please try the following run anywhere dashboard and confirm:
<form>
<label>Adjust Search Earliest Time</label>
<fieldset submitButton="false">
<input type="time" token="tokTime">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<search>
<query>| makeresults
</query>
<done>
<set token="tokAdjustedEarliestTimeString">$job.earliestTime$</set>
<eval token="tokAdjustedEarliestTimeEpoch">relative_time(strptime($job.earliestTime$,"%Y/%m/%dT%H:%M:%S"),"-24h")</eval>
</done>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
</search>
<row>
<panel>
<title>tokAdjustedEarliestTimeString: "$tokAdjustedEarliestTimeString$" | tokAdjustedEarliestTimeEpoch= "$tokAdjustedEarliestTimeEpoch$"</title>
<table>
<search>
<query>index=_internal sourcetype=splunkd log_level!=INFO
| timechart count</query>
<earliest>$tokAdjustedEarliestTimeEpoch$</earliest>
<latest>$tokTime.latest$</latest>
</search>
</table>
</panel>
</row>
</form>
@bharathdoitnow, have you tried the run anywhere dashboard above.
Thank you @Niketnilay, It looks very easy now. I am trying it out today....
@bharathdoitnow, sure if it makes sense surely it would work. Try out and confirm! All the best 🙂
@niketnilay Thank you for the answer.. It worked and Solved my Major issue to search with a standard Timestamp.
@bharathdoitnow, if it worked for you please dont forget to accept the answers and up vote the comments that helped!
@bharathdoitnow stumbled on this old post. If your issue was resolved kindly accept this answer to mark the question as answered and assist others facing similar issue! 🙂
<earliest>$shared_time.earliest$-24h</earliest> earliest time in screenshot was a typo, anyway thats not a working solution.