- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Subtracting 30 minutes from passed drilldown p...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a dashboard which displays a timechart with a one hour span. When the user clicks on the timechart I am using a drilldown and passing the time as follows: $click.value$
If I then display that time_tok as follows:
I get a value that looks like: 1423584000.000 which is all well and good. I'm not formatting anything yet.
Now that the user has clicked on a point representing a one hour span, I would like to show a timechart starting 30 minutes before that point and ending 30 minutes after. I can't find any syntax that works. namely:
index=perfmon earliest=$time_tok$
| table a_formated_time, host, etc, etc,
Is there a way to subtract 30 minutes from $time_tok$ such as $time_tok$-30m or $time_tok$-1800? Then I could do something similar for latest.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this earliest=[|gentimes start=-1|eval new = relative_time($time_tok$,"-1800")| return $$new]
Hope this helps!
Thanks,
Raghav
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Raghav2384
I tried this on my dashboard panel. It is picking the 30 mins prior time well but the latest time is getting calculated as now(). Below is my query, please let me know if i am making some mistake. I need plus minus 30 mins in my click.value(epoch time of point in my timechart).
index=wineventlog EventCode=4625 earliest=[|gentimes start=-1|eval new = relative_time($click.value$,"-1800")| return $$new]
Help me with the latest time.
Thanks,
Manish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this earliest=[|gentimes start=-1|eval new = relative_time($time_tok$,"-1800")| return $$new]
Hope this helps!
Thanks,
Raghav
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It certainly works and thanks much for that!
I certainly don't understand it though, such as why gentimes is even needed as opposed to just creating the new date and passing it back. It seems like some kind of workaround to get around syntax limitations. I also don't understand the $$.
Thanks again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Single dollar would be ignored. Second dollar is used as escape sequence.
Now, since a straight eval can't be used and a sub search not directly applicable , we are embedding a 'run anywhere ' search to edit/update the token.
Thanks,
Raghav
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Raghav,
I try this and get below error :
index="x" sourcetype="y"
earliest=[|gentimes start=-1|eval new = relative_time($field1.earliest$,"-7d")| return $$new]
latest=[|gentimes start=-1 | eval t = relative_time($field1.earliest$,"-7d") | return $$t]
| rename iso_alpha_2_ctry_cd as ad_ctry_cd
Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',"-7d")'.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
