Dashboards & Visualizations

Set earliest and latest dynamically in simple XML

gabriel_vasseur
Contributor

I have a custom form where the user can select a month. The label (i.e. what the user sees) is the month name. Because the list of choices are generated by a dynamic search I can easily control the value (i.e. what the token gets set to) to be either the month name, number, the timestamp of the start of the month, etc. The question is how to use that token to specify both the earliest and latest in my base search?

This is a condensed version of how far I got:

<form>
  ...
  <input token="monthEarliest">
    <search>
      <query>... | eval month_name=strftime( starttime, "%B" )
      | eval month_earliest=strftime(starttime, "%m/%d/%Y:%H:%M:%S")
      | eval month_latest=strftime(relative_time(starttime,"+1mon"), "%m/%d/%Y:%H:%M:%S")</query>
    </search>
    <fieldForLabel>month_name</fieldForLabel>
    <fieldForValue>month_earliest</fieldForValue>
    <change>
      <set token="monthLatest">$row.month_latest$</set>
    </change>
  </input>
...
  <search id="my_main_search">
    <query>...</query>
    <earliest>$monthEarliest$</earliest>
    <latest>$monthLatest$</latest>
  </search>
...
</form>      

However this gives me "invalid earliest time".
I have printed the value of $monthEarliest$ and $monthLatest$ and they look alright and get updated correctly when changing the dropdown. Also, they work as expect if I use them in a manual search outside the dashboard, as they should as per the docs. So I have no idea why in the dashboard they wouldn't work as well.

0 Karma
1 Solution

woodcock
Esteemed Legend

You have to convert $monthEarliest$ and $monthLatest$ to Unix Epoch time (a time_t which is an integer, not a string).

View solution in original post

woodcock
Esteemed Legend

You have to convert $monthEarliest$ and $monthLatest$ to Unix Epoch time (a time_t which is an integer, not a string).

gabriel_vasseur
Contributor

Thanks, that fixed it!
It's confusing that the docs state "For exact time ranges, the syntax of time_modifier is: %m/%d/%Y:%H:%M:%S.". Not only do epoch time stamps also work in searches but apparently they MUST be used in simple XML.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...