Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Setting time frame values dynamically for splunk dashboard

Ashwin3
Engager
‎07-12-2022 02:02 AM

I have a use case where once a particular datetime is entered as input on the dashboard. Need to show search log results panel from two time frames side by side.  

say if the entered value is "07/06/2022:14:00:00"

1) -1hr from the time period entered (here in this case "07/06/2022:13:00:00 -"07/06/2022:14:00:00"

2) From the time period entered to till now (here in this case "07/06/2022:14:00:00 -NOW"

I am capturing the datetime entered as a timetoken

how to set another time token relative to the value entered on screen in dashboard? so that i can use both these tokens as earliest and latest for the first usecase.

Thanks

Labels (3)
Labels
0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎07-12-2022 02:46 AM

You can use relative_time to eval tokens in your dashboard

e.g -1h

<eval token="new_token">relative_time($timeToken$,"-1h")</eval>

As for the now you can just use your time field as a earliest token in the search itself.

On both cases you'll probably need to use strftime to process your timestamp token format

From docs:

https://docs.splunk.com/Documentation/SplunkCloud/latest/Viz/tokens

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

Ashwin3
Engager
‎07-12-2022 03:33 AM

Thank you. Will try once with this and confirm @diogofgm 

  <eval token="formatted_token">strptime($timeToken$,"%m/%d/%Y:%T")</eval>

 <eval token="new_token">relative_time($formatted_token$,"-1h")</eval>

I am trying with the above one but looks like <eval> is not getting accepted as child node for any of the form elements like <input>, <fieldset> etc. where can we place this <eval> step in UI form?

 

Also is there a way where we can accept datetime as input directly from dashboard. Currently i see a Time input but it does not allow to select a particular time. Hence am using text field for getting the datetime value.

 

Thanks.

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎07-12-2022 04:20 AM

Inside input > change tags. so it would be input > change > eval 

Check this part of the docs I shared before:
https://docs.splunk.com/Documentation/SplunkCloud/latest/Viz/tokens#Define_tokens_for_conditional_op...

You could use a time picker since it already creates tokens for you. if you name your time picker timepicker you'll have $timepicker.earliest$ and $timepicker.latest$ and use these to then eval the new tokens 

------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...