Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Dashboard - <eval>

pcontreras
Explorer
‎10-26-2023 04:24 PM

Hello there!

I'm trying to use <change> and <eval> inside of my time input to create a token that takes in $time.earliest$ and converts it to a unix timestamp, however, my <eval> is not working how I expect.

pcontreras_0-1698362424842.png


When I use $start_time$ in my dashboard panels, I get a literal copy/paste of the "relative_time(now() ..." statement (i.e., it's not actually evaluating).  I've seen multiple examples in Splunk documentation and it seems like <eval> is supposed to evaluate the function you're trying to use.

Help me, Splunk Community.  You're my only hope.

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-27-2023 02:03 AM

There doesn't appear to be anything wrong with what you are doing (apart from I don't think you need the quotes around the token in the relative_time function, and the condition is probably superfluous); the issue may be to do with the version of Splunk you are using as there have been issues with this before iirc. Which version are you using?

0 Karma
Reply

pcontreras
Explorer
‎10-27-2023 03:24 PM

I'm on Splunk Cloud version 9.0.2305.201.

Don't I need the quotes in the relative_time function?  If $time.earliest$ is a relative time modifier (e.g., -7d@h), it needs quotes, right?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-28-2023 01:48 AM

I am using enterprise and it works without quotes with -7d@h

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...