Dashboards & Visualizations

Time picker on dashboard to change the day, but keep each panel's one hour time range presets?

Contributor

I have four dashboard tables for 10am to 11am, from 11am to 12am, from 12am to 13am and one from 13am to 14am...
I need a time picker to change only the day of the search and keep these tables' one hour time windows... what's the easiest way I can set this search string or maybe use a text input to pass the date as $parameter$ ?
Thanks in advance!
Best regardss

1 Solution

Revered Legend

Let the timepicker values to be used as earliestTime and latestTime for the each panel. Add following to your base searches.

your base search  [|gentimes start=-1|addinfo | eval earliest=relative_time(info_min_time,"@d+10h")  | eval latest=relative_time(info_min_time,"@d+11h")| return earliest,latest] | rest of the search

e.g. run anywhere sample.

<form>
  <label>Multiple Time Picker</label>
  <fieldset>
    <input type="time" >
      <label>TimePicker for SourceType</label>
      <default>
        <earliestTime>-15m</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>    
  </fieldset>
  <row>
    <table>
      <title>Sourcetypes 10 AM to 11 AM</title>
      <searchString>index=_internal  [|gentimes start=-1|addinfo | eval earliest=relative_time(info_min_time,"@d+10h")  
        | eval latest=relative_time(info_min_time,"@d+11h")| return earliest,latest] | timechart count by sourcetype
       </searchString>     
      <option name="count">5</option>     
    </table>    
  </row>
  <row>
    <table>
      <title>Sourcetypes 11 AM to 12 AM</title>
      <searchString>index=_internal  [|gentimes start=-1|addinfo | eval earliest=relative_time(info_min_time,"@d+11h")  
        | eval latest=relative_time(info_min_time,"@d+12h")| return earliest,latest] | timechart count by sourcetype
       </searchString>     
      <option name="count">5</option>     
    </table>    
  </row>
</form>

View solution in original post

Contributor

My current query for this dashboard is :

Index=main ProductList=* Channel=$channel$ | stats count

I need to count the total per day per set time, so they are four totals individually by time :
10am total
11total
12total
13total

And use time picker only to change between days...

0 Karma

Revered Legend

Could you provide more details? Like your current query and expected output...

0 Karma

Contributor

What's the correct syntax order if I need a stats count per day with fixed time settings too? The same query above but for a stats count over those intervals...

0 Karma

Community Manager
Community Manager

@vtsguerrero no problem 🙂 I just wanted to make sure so you could get an accurate answer. Glad @somesoni2 found you a solution!

0 Karma

Contributor

Thanks a lot, @somesoni2 it worked like a charm!!

0 Karma

Revered Legend

Let the timepicker values to be used as earliestTime and latestTime for the each panel. Add following to your base searches.

your base search  [|gentimes start=-1|addinfo | eval earliest=relative_time(info_min_time,"@d+10h")  | eval latest=relative_time(info_min_time,"@d+11h")| return earliest,latest] | rest of the search

e.g. run anywhere sample.

<form>
  <label>Multiple Time Picker</label>
  <fieldset>
    <input type="time" >
      <label>TimePicker for SourceType</label>
      <default>
        <earliestTime>-15m</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>    
  </fieldset>
  <row>
    <table>
      <title>Sourcetypes 10 AM to 11 AM</title>
      <searchString>index=_internal  [|gentimes start=-1|addinfo | eval earliest=relative_time(info_min_time,"@d+10h")  
        | eval latest=relative_time(info_min_time,"@d+11h")| return earliest,latest] | timechart count by sourcetype
       </searchString>     
      <option name="count">5</option>     
    </table>    
  </row>
  <row>
    <table>
      <title>Sourcetypes 11 AM to 12 AM</title>
      <searchString>index=_internal  [|gentimes start=-1|addinfo | eval earliest=relative_time(info_min_time,"@d+11h")  
        | eval latest=relative_time(info_min_time,"@d+12h")| return earliest,latest] | timechart count by sourcetype
       </searchString>     
      <option name="count">5</option>     
    </table>    
  </row>
</form>

View solution in original post

Contributor

Works perfectly! Thankssss

0 Karma

Contributor

@Pablo_splunk

Yeah, sorry, I'm not really used to time differences ( Brazil here ) but that's what I meant, its a progression time where all events are, just need a day filter... ( sry if bad English here ) ...

0 Karma

Contributor

Simple XML Splunk 6.1
I'm currently using @d+10h and @d+11h

0 Karma

Community Manager
Community Manager

@vtsguerrero

did you mean to put 11am to 12PM, 12PM to 13PM, and 13PM to 14PM? You put AM for each hour

0 Karma

Revered Legend

What version of Splunk? Advanced xml or simple xml? If advanced xml, do you use Sideview Util? And if using Sideview Util, what is its version?

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!