Re: Splunk Dashboard - <eval>

pcontreras · ‎10-26-2023

Hello there!

I'm trying to use <change> and <eval> inside of my time input to create a token that takes in $time.earliest$ and converts it to a unix timestamp, however, my <eval> is not working how I expect.

When I use $start_time$ in my dashboard panels, I get a literal copy/paste of the "relative_time(now() ..." statement (i.e., it's not actually evaluating). I've seen multiple examples in Splunk documentation and it seems like <eval> is supposed to evaluate the function you're trying to use.

Help me, Splunk Community. You're my only hope.

ITWhisperer · ‎10-27-2023

There doesn't appear to be anything wrong with what you are doing (apart from I don't think you need the quotes around the token in the relative_time function, and the condition is probably superfluous); the issue may be to do with the version of Splunk you are using as there have been issues with this before iirc. Which version are you using?

pcontreras · ‎10-27-2023

I'm on Splunk Cloud version 9.0.2305.201.

Don't I need the quotes in the relative_time function? If $time.earliest$ is a relative time modifier (e.g., -7d@h), it needs quotes, right?

ITWhisperer · ‎10-28-2023

I am using enterprise and it works without quotes with -7d@h

Splunk Dashboard - <eval>

dashboard

simple XML

token

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?