Dashboards & Visualizations

Splunk dashboard token update delay

SplunkTrust
SplunkTrust

I have a dashboard created to monitor license usage and am trying to have some dynamic paneling depending on the time range selected. The issue is the tokens set by the timerange picker seem to be delayed by one iteration of changes. Here is the XML to provide the example:

 <form>
  <label>Test</label>
  <search id="base">
    <query>index=_internal source=*license_usage.log type="Usage" earliest=$time.earliest$ latest=$time.latest$  | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)   | eval sourcetypename = st   | bin _time span=1d    | stats values(poolsz) as poolsz sum(b) as b by _time, pool, indexname, sourcetypename | eval GB=(b/1024/1024/1024)  | eval pool=(poolsz/1024/1024/1024) | fields _time, indexname, sourcetypename, GB, pool | search indexname=$index$ sourcetypename=$sourcetype$</query>
  </search>
  <fieldset submitButton="false" autoRun="false">
    <input type="time" token="time" searchWhenChanged="true">
      <label>Time Picker</label>
      <default>
        <earliest>@d</earliest>
        <latest>now</latest>
      </default>
      <change>
        <eval token="early">relative_time(now(), $time.earliest$)</eval>
        <eval token="late">relative_time(now(), $time.latest$)</eval>
        <eval token="diff">tostring((relative_time(now(), $time.latest$))-(relative_time(now(), $time.earliest$)),"duration")</eval>
      </change>
    </input>
    <input type="dropdown" token="index" searchWhenChanged="true">
      <label>Index</label>
      <search>
        <query>| rest /services/data/indexes | dedup title | search title!=_* | fields title</query>
        <earliest>0</earliest>
      </search>
      <fieldForLabel>title</fieldForLabel>
      <fieldForValue>title</fieldForValue>
      <choice value="*">All</choice>
    </input>
    <input type="dropdown" token="sourcetype" searchWhenChanged="true">
      <label>Sourcetype</label>
      <search>
        <query>| metadata type=sourcetypes index=$index$</query>
        <earliest>0</earliest>
      </search>
      <choice value="*">All</choice>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Test $early$ - $late$ - $diff$</title>
     </panel>
  </row>
</form>

An example sequence would be:
I load the page with the default search range being "Today". I get values for $early$ and $late$ but they appear to be the same epoch for some reason and $diff$ shows 00:00:00. I select and index for my dashboards and it will populate the dashboards with the correct time range but the tokens do not update for $early$, $late$, or $diff$. Say I select "Last 15 minutes" from the picker next. It will then update the tokens to the value for the previous value "Today" but the dashboards will update content for the last 15 minutes. I can select another value like "Last 4 hours" and the tokens will then update for the last 15 minutes while the rest of the content is for the last 4 hours and repeat this for the others.

Any idea on how to have these tokens update immediately upon selecting the value?

0 Karma

SplunkTrust
SplunkTrust

Feeding off of niketnilays direction to the other thread I have it working via a hidden search that runs when the time picker is updated. Here is the updated XML for a portion of the form:

    <form>
      <label>License Usage</label>
      <search id="base">
        <query>index=_internal source=*license_usage.log type="Usage" | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)   | eval sourcetypename = st   | bin _time span=1d    | stats values(poolsz) as poolsz sum(b) as b by _time, pool, indexname, sourcetypename | eval GB=(b/1024/1024/1024)  | eval pool=(poolsz/1024/1024/1024) | fields _time, indexname, sourcetypename, GB, pool | search indexname=$index$ sourcetypename=$sourcetype$</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
      </search>
      <fieldset submitButton="false" autoRun="false">
        <input type="time" token="time" searchWhenChanged="true">
          <label>Time Picker</label>
          <default>
            <earliest>@d</earliest>
            <latest>now</latest>
          </default>
          <change>
            <unset token="time_panel"></unset>
          </change>
        </input>
        <input type="dropdown" token="index" searchWhenChanged="true">
          <label>Index</label>
          <search>
            <query>| rest /services/data/indexes | dedup title | search title!=_* | fields title</query>
            <earliest>0</earliest>
          </search>
          <fieldForLabel>title</fieldForLabel>
          <fieldForValue>title</fieldForValue>
          <choice value="*">All</choice>
        </input>
        <input type="dropdown" token="sourcetype" searchWhenChanged="true">
          <label>Sourcetype</label>
          <search>
            <query>| metadata type=sourcetypes index=$index$</query>
            <earliest>0</earliest>
          </search>
          <choice value="*">All</choice>
          <fieldForLabel>sourcetype</fieldForLabel>
          <fieldForValue>sourcetype</fieldForValue>
          <default>*</default>
        </input>
      </fieldset>
      <row depends="$time_panel$">
        <panel>
          <title>Time token panel</title>
          <chart><search>
            <query><![CDATA[| makeresults | addinfo | eval start = strftime(info_min_time, "%c") | eval end = strftime(info_max_time, "%c") | eval diff=tostring(info_max_time-info_min_time,"duration") | eval diff=replace(diff,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes \4 secs") | fields diff end start | rex field=diff (?<days>\d+)\sdays\s(?<hours>\d+) | eval over_day=if(days>0,"true","false") | eval single_day=if(days<=1,"true","false")]]></query>
            <earliest>$time.earliest$</earliest>
            <latest>$time.latest$</latest>
            <done>
              <condition match="&#36;result.single_day&#36;==&quot;true&quot;">
                <set token="single_day"></set>
                <unset token="over_day"></unset>
              </condition>
              <condition match="&#36;result.over_day&#36;==&quot;true&quot;">
                <unset token="single_day"></unset>
                <set token="over_day"></set>
              </condition>
            </done>
          </search>
         </chart>
        </panel>
      </row>
      <row depends="$single_day$">
        <panel>
          <title>Total License Consumption</title>
          <chart>
            <search base="base">
              <query>| fields _time, indexname, sourcetypename, GB, pool | stats values(pool) as pool sum(GB) as GB | gauge GB 0 pool</query>
            </search>
            <option name="charting.chart">fillerGauge</option>
          </chart>
        </panel>
      </row>
</form>
0 Karma

SplunkTrust
SplunkTrust

In more testing I have added just $time.earliest$ and $time.latest$ tokens to the title of the panel to test the token changing and those update immediately upon changing. It seems to be an issue with the tokens set within the evals.

0 Karma

SplunkTrust
SplunkTrust

I dont think change event in time picker exposes any default token. I feel this is more for you to be able to set/unset other tokens in the form. If you use the same time picker's name as token, then value will always be delayed since you would need to post it first (not just with time picker, the same will be exhibited by drilldown as well). Please see if you can use addinfo to pick up earliest and latest timestamp being used by a query that uses token from your time picker control.

Following is a question with similar issue:
https://answers.splunk.com/answers/520784/cant-get-eval-statements-in-dashboard-to-use-corre.html#co...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

That seems to have done the trick. I can't accept yours as an answer since it is posted as a comment. If you want to repost it I can accept it.

Thanks!

0 Karma