Solved: Time picker on dashboard to change the day, but ke...

vtsguerrero · ‎07-29-2014

I have four dashboard tables for 10am to 11am, from 11am to 12am, from 12am to 13am and one from 13am to 14am...
I need a time picker to change only the day of the search and keep these tables' one hour time windows... what's the easiest way I can set this search string or maybe use a text input to pass the date as $parameter$ ?
Thanks in advance!
Best regardss

somesoni2 · ‎07-29-2014

Let the timepicker values to be used as earliestTime and latestTime for the each panel. Add following to your base searches.

your base search  [|gentimes start=-1|addinfo | eval earliest=relative_time(info_min_time,"@d+10h")  | eval latest=relative_time(info_min_time,"@d+11h")| return earliest,latest] | rest of the search

e.g. run anywhere sample.

<form>
  <label>Multiple Time Picker</label>
  <fieldset>
    <input type="time" >
      <label>TimePicker for SourceType</label>
      <default>
        <earliestTime>-15m</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>    
  </fieldset>
  <row>
    <table>
      <title>Sourcetypes 10 AM to 11 AM</title>
      <searchString>index=_internal  [|gentimes start=-1|addinfo | eval earliest=relative_time(info_min_time,"@d+10h")  
        | eval latest=relative_time(info_min_time,"@d+11h")| return earliest,latest] | timechart count by sourcetype
       </searchString>     
      <option name="count">5</option>     
    </table>    
  </row>
  <row>
    <table>
      <title>Sourcetypes 11 AM to 12 AM</title>
      <searchString>index=_internal  [|gentimes start=-1|addinfo | eval earliest=relative_time(info_min_time,"@d+11h")  
        | eval latest=relative_time(info_min_time,"@d+12h")| return earliest,latest] | timechart count by sourcetype
       </searchString>     
      <option name="count">5</option>     
    </table>    
  </row>
</form>

View solution in original post

vtsguerrero · ‎07-31-2014

My current query for this dashboard is :

Index=main ProductList=* Channel=$channel$ | stats count

I need to count the total per day per set time, so they are four totals individually by time :
10am total
11total
12total
13total

And use time picker only to change between days...

somesoni2 · ‎07-31-2014

Could you provide more details? Like your current query and expected output...

vtsguerrero · ‎07-31-2014

What's the correct syntax order if I need a stats count per day with fixed time settings too? The same query above but for a stats count over those intervals...

ppablo · ‎07-29-2014

@vtsguerrero no problem 🙂 I just wanted to make sure so you could get an accurate answer. Glad @somesoni2 found you a solution!

vtsguerrero · ‎07-29-2014

Thanks a lot, @somesoni2 it worked like a charm!!

somesoni2 · ‎07-29-2014

Let the timepicker values to be used as earliestTime and latestTime for the each panel. Add following to your base searches.

your base search  [|gentimes start=-1|addinfo | eval earliest=relative_time(info_min_time,"@d+10h")  | eval latest=relative_time(info_min_time,"@d+11h")| return earliest,latest] | rest of the search

e.g. run anywhere sample.

<form>
  <label>Multiple Time Picker</label>
  <fieldset>
    <input type="time" >
      <label>TimePicker for SourceType</label>
      <default>
        <earliestTime>-15m</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>    
  </fieldset>
  <row>
    <table>
      <title>Sourcetypes 10 AM to 11 AM</title>
      <searchString>index=_internal  [|gentimes start=-1|addinfo | eval earliest=relative_time(info_min_time,"@d+10h")  
        | eval latest=relative_time(info_min_time,"@d+11h")| return earliest,latest] | timechart count by sourcetype
       </searchString>     
      <option name="count">5</option>     
    </table>    
  </row>
  <row>
    <table>
      <title>Sourcetypes 11 AM to 12 AM</title>
      <searchString>index=_internal  [|gentimes start=-1|addinfo | eval earliest=relative_time(info_min_time,"@d+11h")  
        | eval latest=relative_time(info_min_time,"@d+12h")| return earliest,latest] | timechart count by sourcetype
       </searchString>     
      <option name="count">5</option>     
    </table>    
  </row>
</form>

vtsguerrero · ‎07-29-2014

Works perfectly! Thankssss

vtsguerrero · ‎07-29-2014

@Pablo_splunk

Yeah, sorry, I'm not really used to time differences ( Brazil here ) but that's what I meant, its a progression time where all events are, just need a day filter... ( sry if bad English here ) ...

vtsguerrero · ‎07-29-2014

Simple XML Splunk 6.1
I'm currently using @d+10h and @d+11h

ppablo · ‎07-29-2014

@vtsguerrero

did you mean to put 11am to 12PM, 12PM to 13PM, and 13PM to 14PM? You put AM for each hour

somesoni2 · ‎07-29-2014

What version of Splunk? Advanced xml or simple xml? If advanced xml, do you use Sideview Util? And if using Sideview Util, what is its version?

Time picker on dashboard to change the day, but keep each panel's one hour time range presets?

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Index This | I am a number but I am countless. What am I?

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience