Dashboards & Visualizations

Subtracting 30 minutes from passed drilldown parameter to use as earliest/latest in next timechart search

RVDowning
Contributor

I have a dashboard which displays a timechart with a one hour span. When the user clicks on the timechart I am using a drilldown and passing the time as follows: $click.value$

If I then display that time_tok as follows:

I get a value that looks like: 1423584000.000 which is all well and good. I'm not formatting anything yet.

Now that the user has clicked on a point representing a one hour span, I would like to show a timechart starting 30 minutes before that point and ending 30 minutes after. I can't find any syntax that works. namely:

index=perfmon earliest=$time_tok$
| table a_formated_time, host, etc, etc,

Is there a way to subtract 30 minutes from $time_tok$ such as $time_tok$-30m or $time_tok$-1800? Then I could do something similar for latest.

0 Karma
1 Solution

Raghav2384
Motivator

try this earliest=[|gentimes start=-1|eval new = relative_time($time_tok$,"-1800")| return $$new]

Hope this helps!
Thanks,
Raghav

View solution in original post

ManishVilla7
Explorer

Hi @Raghav2384
I tried this on my dashboard panel. It is picking the 30 mins prior time well but the latest time is getting calculated as now(). Below is my query, please let me know if i am making some mistake. I need plus minus 30 mins in my click.value(epoch time of point in my timechart).

index=wineventlog EventCode=4625 earliest=[|gentimes start=-1|eval new = relative_time($click.value$,"-1800")| return $$new]

Help me with the latest time.

Thanks,
Manish

0 Karma

rmmiller
Contributor
0 Karma

Raghav2384
Motivator

try this earliest=[|gentimes start=-1|eval new = relative_time($time_tok$,"-1800")| return $$new]

Hope this helps!
Thanks,
Raghav

RVDowning
Contributor

It certainly works and thanks much for that!

I certainly don't understand it though, such as why gentimes is even needed as opposed to just creating the new date and passing it back. It seems like some kind of workaround to get around syntax limitations. I also don't understand the $$.

Thanks again.

0 Karma

Raghav2384
Motivator

Single dollar would be ignored. Second dollar is used as escape sequence.

Now, since a straight eval can't be used and a sub search not directly applicable , we are embedding a 'run anywhere ' search to edit/update the token.

Thanks,
Raghav

splunkannm
New Member

Hi Raghav,

I try this and get below error :

index="x" sourcetype="y"
earliest=[|gentimes start=-1|eval new = relative_time($field1.earliest$,"-7d")| return $$new]
latest=[|gentimes start=-1 | eval t = relative_time($field1.earliest$,"-7d") | return $$t]
| rename iso_alpha_2_ctry_cd as ad_ctry_cd

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',"-7d")'.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...