Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search time range based on epoch token from drilldown, how can I use my epoch token to set the time ranges in my panels?

TalNiv
New Member
‎02-20-2023 02:44 AM

I have a dashboard which received a token named "time" by drilldown, which stores a specific time in epoch. 

Now I want the searches in my dashboard to have a time range based on this epoch value. 

I tried to use this token in "earliest" and "latest",  i.e, <earliest>$time$</earliest>.

I worked only when I put the token as is, but not with any kind of simple arithmetic like <earliest>$time$ - 100000 </earliest>.

How can I use my epoch token to set the time ranges in my panels? 

Labels (4)
Labels
0 Karma
Reply

danspav
SplunkTrust
SplunkTrust
‎02-21-2023 09:50 PM

Hi @TalNiv ,

The easiest way is how @gcusello said - update the original dashboard to create two tokens for earliest / latest.

You can add this to the section where you create the $time$ token in the original dashboard:
<eval token="earliest">tonumber($time$) - 10000</eval>

If you don't have access to that dashboard there aren't many options. AFAIK you cannot use URL sourced tokens in the <init> section of your dashboard to do the same eval tag.

One very roundabout way is to create a dummy search, and create tokens off that. E.g. put this at the top of your dashboard under the label section:

<search>
<query>|makeresults | eval earliest=tonumber($time$) - 100000, latest=$time$</query>
<done>
<set token="earliest">$result.earliest$</set>
<set token="latest">$result.latest$</set>
</done>
</search>

Now you can use $earliest$ and $latest$ in your searches.

Reply

gcusello
SplunkTrust
SplunkTrust
‎02-20-2023 02:54 AM

Hi @TalNiv,

in the main dashboard create two fields earliest and latest (both in epochtime) and then pass them in drilldown.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...