Dashboards & Visualizations
Highlighted

Problem in enhancing search range by a Day before than actual selected range, ex : if user selects today, show today+yesterday results.

New Member

I am creating a dashboard which shows results based on search range.

Problem Statement :
1. user fills a form in the web application.
2. Logs into Splunk dashboard and looks for logs by choosing "today" in time picker
3. no results comes up as the logs were tagged under a day before time stamp.
4. when user changes time to yesterday or last 2 days, results are shown.

So I want to enhance the user search range + 1 day before in the back end. I tried to do but it is is not working as expected.

What I tried:

Time picker:
alt text

0 Karma
Highlighted

Re: Problem in enhancing search range by a Day before than actual selected range, ex : if user selects today, show today+yesterday results.

New Member
     <earliest>$shared_time.earliest$-24h</earliest> earliest time in screenshot was a typo, anyway thats not a working solution.
0 Karma
Highlighted

Re: Problem in enhancing search range by a Day before than actual selected range, ex : if user selects today, show today+yesterday results.

Legend

@bharathdoitnow, you would need to pass on the Time input tokens to a dummy search and then use $job.earliestTime$
which is default token for <search> handler. PS: As per your question you need to show -24h data along with selected time range, which means you don't need to adjust latest time just the earliest time. You can also refer to my previous answer for details (one more solution approach using addinfo https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html)

Please try the following run anywhere dashboard and confirm:

<form>
  <label>Adjust Search Earliest Time</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <search>
    <query>| makeresults
    </query>
    <done>
      <set token="tokAdjustedEarliestTimeString">$job.earliestTime$</set>
      <eval token="tokAdjustedEarliestTimeEpoch">relative_time(strptime($job.earliestTime$,"%Y/%m/%dT%H:%M:%S"),"-24h")</eval>
    </done>
    <earliest>$tokTime.earliest$</earliest>
    <latest>$tokTime.latest$</latest>
  </search>
  <row>
    <panel>
      <title>tokAdjustedEarliestTimeString: "$tokAdjustedEarliestTimeString$" | tokAdjustedEarliestTimeEpoch= "$tokAdjustedEarliestTimeEpoch$"</title>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!=INFO
          | timechart count</query>
          <earliest>$tokAdjustedEarliestTimeEpoch$</earliest>
          <latest>$tokTime.latest$</latest>          
        </search>
      </table>
    </panel>
  </row>
</form>



| eval message="Happy Splunking!!!"


View solution in original post

0 Karma
Highlighted

Re: Problem in enhancing search range by a Day before than actual selected range, ex : if user selects today, show today+yesterday results.

Legend

@bharathdoitnow, have you tried the run anywhere dashboard above.




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: Problem in enhancing search range by a Day before than actual selected range, ex : if user selects today, show today+yesterday results.

New Member

Thank you @Niketnilay, It looks very easy now. I am trying it out today....

0 Karma
Highlighted

Re: Problem in enhancing search range by a Day before than actual selected range, ex : if user selects today, show today+yesterday results.

Legend

@bharathdoitnow, sure if it makes sense surely it would work. Try out and confirm! All the best 🙂




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: Problem in enhancing search range by a Day before than actual selected range, ex : if user selects today, show today+yesterday results.

New Member

@niketnilay Thank you for the answer.. It worked and Solved my Major issue to search with a standard Timestamp.

0 Karma
Highlighted

Re: Problem in enhancing search range by a Day before than actual selected range, ex : if user selects today, show today+yesterday results.

Legend

@bharathdoitnow, if it worked for you please dont forget to accept the answers and up vote the comments that helped!




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: Problem in enhancing search range by a Day before than actual selected range, ex : if user selects today, show today+yesterday results.

Legend

@bharathdoitnow stumbled on this old post. If your issue was resolved kindly accept this answer to mark the question as answered and assist others facing similar issue! 🙂




| eval message="Happy Splunking!!!"


0 Karma