Dashboards & Visualizations

Timeinput and token

kishan2356
Explorer

I have a dashboard where I need to users to be able to select from the time input . When a time is selected from the input I need it to stored into the time_finder token so it can be used to find data for current(the time selected from picker) , time_finder-1week ago, time_finder-2 weeks ago, time_finder-3 weeks ago and time_finder-4 weeks ago.

This is how I have the tokens set now.

    <eval token="earliestTime">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-0d")</eval>    
    <eval token="latestTime">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-0d")</eval>  
    <eval token="earliestTime1">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-7d")</eval>        
    <eval token="latestTime1">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-6d")</eval>  
    <eval token="earliestTime2">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-14d")</eval>  
    <eval token="latestTime2">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-13d")</eval>  
    <eval token="earliestTime3">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-21d")</eval>  
    <eval token="latestTime3">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-20")</eval>  
    <eval token="earliestTime4">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-28")</eval>  
    <eval token="latestTime4">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-27d")</eval>  

What I use in my query to reference the tokens is this : earliest=$time_finder$ latest=$time_finder$

The error I am getting is "Search is waiting for input". How can I fix this? If my question does not make sense please let me know and I will clarify/provide more info. Thanks

0 Karma
1 Solution

arjunpkishore5
Motivator

In response to the sample example you posted, Try this. Please mark as answer if this is what you were looking for

<form>
  <label>test_dash</label>
  <fieldset submitButton="false">
    <input type="time" token="time_finder" searchWhenChanged="true">
      <label>Time Picker</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
      <change>
        <eval token="earliestTime">if(isstr(earliest), relative_time(now(),earliest), earliest)</eval>
        <eval token="latestTime">if(isstr(latest), relative_time(now(),latest), latest)</eval>       
        <eval token="earliestTime1">relative_time(earliestTime,"-7d")</eval>
        <eval token="latestTime1">relative_time(latestTime,"-7d")</eval>
        <eval token="earliestTime2">relative_time(earliestTime,"-14d")</eval>
        <eval token="latestTime2">relative_time(latestTime,"-14d")</eval>
        <eval token="earliestTime3">relative_time(earliestTime,"-21d")</eval>
        <eval token="latestTime3">relative_time(latestTime,"-21d")</eval>
        <eval token="earliestTime4">relative_time(earliestTime,"-28d")</eval>
        <eval token="latestTime4">relative_time(latestTime,"-28d")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>XXXXXXXXX</title>
      <table>
        <search>
          <query>index=XX sourcetype=XX 
| bin _time span=5m 
| stats dc(ecn) as Now by _time 
| appendcols 
    [ search index=XX sourcetype=XX earliest=$earliestTime1$ latest=$latestTime1$ 
    | bin _time span=5m 
    | stats dc(ecn) as Count_SameDay_LastWeek by _time ] 
| appendcols 
    [ search index=XX sourcetype=XX earliest=$earliestTime2$ latest=$latestTime2$ 
    | bin _time span=5m 
    | stats dc(ecn) as TwoWeeksAgo by _time] 
| appendcols 
    [ search index=XX sourcetype=XX  earliest=$earliestTime3$ latest=$latestTime3$
    | bin _time span=5m 
    | stats dc(ecn) as ThreeWeeksAgo by _time] 
| appendcols 
    [ search index=XX sourcetype=XX earliest=$earliestTime4$ latest=$latestTime4$ 
    | bin _time span=5m 
    | stats dc(ecn) as FourWeeksAgo by _time] 
| eval ...... 
| fields .........</query>
          <earliest>$time_finder.earliest$</earliest>
          <latest>$time_finder.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <option name="totalsRow">false</option>
        <format type="number" field="Diff2">
          <option name="precision">0</option>
        </format>
        <format type="number" field="Estimated_Impact">
          <option name="precision">0</option>
        </format>
        <format type="number" field="Avg_of_Diff1&amp;2">
          <option name="precision">0</option>
        </format>
        <format type="number" field="AvgOfFourWeeks_SameDay">
          <option name="precision">0</option>
          <option name="useThousandSeparators">false</option>
        </format>
        <format type="number" field="Avg_of_Diff_of_today_to_lastweek&amp;Diff_of_today_to_avgOfPrior4weeks">
          <option name="precision">0</option>
        </format>
        <format type="number" field="Diff_of_today_to_avgOfPrior4weeks">
          <option name="precision">0</option>
        </format>
      </table>
    </panel>
  </row>
</form>

View solution in original post

arjunpkishore5
Motivator

In response to the sample example you posted, Try this. Please mark as answer if this is what you were looking for

<form>
  <label>test_dash</label>
  <fieldset submitButton="false">
    <input type="time" token="time_finder" searchWhenChanged="true">
      <label>Time Picker</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
      <change>
        <eval token="earliestTime">if(isstr(earliest), relative_time(now(),earliest), earliest)</eval>
        <eval token="latestTime">if(isstr(latest), relative_time(now(),latest), latest)</eval>       
        <eval token="earliestTime1">relative_time(earliestTime,"-7d")</eval>
        <eval token="latestTime1">relative_time(latestTime,"-7d")</eval>
        <eval token="earliestTime2">relative_time(earliestTime,"-14d")</eval>
        <eval token="latestTime2">relative_time(latestTime,"-14d")</eval>
        <eval token="earliestTime3">relative_time(earliestTime,"-21d")</eval>
        <eval token="latestTime3">relative_time(latestTime,"-21d")</eval>
        <eval token="earliestTime4">relative_time(earliestTime,"-28d")</eval>
        <eval token="latestTime4">relative_time(latestTime,"-28d")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>XXXXXXXXX</title>
      <table>
        <search>
          <query>index=XX sourcetype=XX 
| bin _time span=5m 
| stats dc(ecn) as Now by _time 
| appendcols 
    [ search index=XX sourcetype=XX earliest=$earliestTime1$ latest=$latestTime1$ 
    | bin _time span=5m 
    | stats dc(ecn) as Count_SameDay_LastWeek by _time ] 
| appendcols 
    [ search index=XX sourcetype=XX earliest=$earliestTime2$ latest=$latestTime2$ 
    | bin _time span=5m 
    | stats dc(ecn) as TwoWeeksAgo by _time] 
| appendcols 
    [ search index=XX sourcetype=XX  earliest=$earliestTime3$ latest=$latestTime3$
    | bin _time span=5m 
    | stats dc(ecn) as ThreeWeeksAgo by _time] 
| appendcols 
    [ search index=XX sourcetype=XX earliest=$earliestTime4$ latest=$latestTime4$ 
    | bin _time span=5m 
    | stats dc(ecn) as FourWeeksAgo by _time] 
| eval ...... 
| fields .........</query>
          <earliest>$time_finder.earliest$</earliest>
          <latest>$time_finder.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <option name="totalsRow">false</option>
        <format type="number" field="Diff2">
          <option name="precision">0</option>
        </format>
        <format type="number" field="Estimated_Impact">
          <option name="precision">0</option>
        </format>
        <format type="number" field="Avg_of_Diff1&amp;2">
          <option name="precision">0</option>
        </format>
        <format type="number" field="AvgOfFourWeeks_SameDay">
          <option name="precision">0</option>
          <option name="useThousandSeparators">false</option>
        </format>
        <format type="number" field="Avg_of_Diff_of_today_to_lastweek&amp;Diff_of_today_to_avgOfPrior4weeks">
          <option name="precision">0</option>
        </format>
        <format type="number" field="Diff_of_today_to_avgOfPrior4weeks">
          <option name="precision">0</option>
        </format>
      </table>
    </panel>
  </row>
</form>

arjunpkishore5
Motivator

I'm guessing $time_finder$ is the name of the variable storing the time input. If yes, you need to do the following

earliest=$time_finder.earliest$ latest=$time_finder.latest$

0 Karma

kishan2356
Explorer

Hey @arjunpkishore5

The dashboard works but say when I select Date & Range Between 11/13/2019 9:00 and 11/13/2019 10:00 what happens is that the table will display time for 8:00 to 10:00 but it fills in all the data between 8 and 9 with 0s for the first 2 columns, and than it starts to display all the data for 9 to 10. I need it to select the exact time and display it. My guess is that the issue is coming from the way the tokens are set on the dashboard? Any idea on how to fix this issue?

     <eval token="earliestTime">if(isstr(earliest), relative_time(now(),earliest), earliest)</eval>
     <eval token="latestTime">if(isstr(latest), relative_time(now(),latest), latest)</eval>       
     <eval token="earliestTime1">relative_time(earliestTime,"-7d")</eval>
     <eval token="latestTime1">relative_time(latestTime,"-7d")</eval>
     <eval token="earliestTime2">relative_time(earliestTime,"-14d")</eval>
     <eval token="latestTime2">relative_time(latestTime,"-14d")</eval>
     <eval token="earliestTime3">relative_time(earliestTime,"-21d")</eval>
     <eval token="latestTime3">relative_time(latestTime,"-21d")</eval>
     <eval token="earliestTime4">relative_time(earliestTime,"-28d")</eval>
     <eval token="latestTime4">relative_time(latestTime,"-28d")</eval>
   </change>
0 Karma

kishan2356
Explorer

I made the change but it does not work.

0 Karma

kishan2356
Explorer

If I use earliest=$time_finder.earliest$ latest=$time_finder.latest$ , would I need 4 sets or earliest and latest?

0 Karma

kishan2356
Explorer

Hey arjunkishore5. I did not make the properly make the changes you posted to my code, but your solution works just fine! Thank you!

0 Karma

arjunpkishore5
Motivator

Can you post the complete XML for the time input

0 Karma

kishan2356
Explorer

XXXXXX

<input type="time" token="time_finder" searchWhenChanged="true">
  <label>Time Picker</label>
  <default>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </default>
  <change>
    <eval token="earliestTime">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-0d")</eval>    
    <eval token="latestTime">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-0d")</eval>  
    <eval token="earliestTime1">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-7d")</eval>        
    <eval token="latestTime1">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-6d")</eval>  
    <eval token="earliestTime2">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-14d")</eval>  
    <eval token="latestTime2">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-13d")</eval>  
    <eval token="earliestTime3">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-21d")</eval>  
    <eval token="latestTime3">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-20")</eval>  
    <eval token="earliestTime4">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-28")</eval>  
    <eval token="latestTime4">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-27d")</eval>  
  </change>
</input>


<panel>
  <title>XXXXXXXX</title>
  <table>

    <search>
      <query>index=XX sourcetype=XX | bin _time span=5m | stats dc(ecn) as Now  by _time | appendcols [ search index=XX sourcetype=XX earliest=$earliestTime1.earliest$ latest=$latestTime1.latest$ | bin _time span=5m  |stats dc(ecn) as Count_SameDay_LastWeek by _time ] | appendcols [search index=XX sourcetype=XX  earliest=$earliestTime2.earliest$ latest=$latestTime2.latest$  | bin _time span=5m  |stats dc(ecn) as TwoWeeksAgo by _time] | appendcols [search index=XX sourcetype=XX  | bin _time span=5m  |stats dc(ecn) as ThreeWeeksAgo by _time] | appendcols [search index=XX sourcetype=XX  earliest=$earliestTime4$ latest=$latestTime4.latest$  | bin _time span=5m  |stats dc(ecn) as FourWeeksAgo by _time] | eval ...... | fields .........</query>
      <earliest>$earliest.earliest$</earliest>
      <latest>$latest.latest$</latest>
    </search>
    <option name="count">10</option>
    <option name="drilldown">cell</option>
    <option name="refresh.display">progressbar</option>
    <option name="totalsRow">false</option>
    <format type="number" field="Diff2">
      <option name="precision">0</option>
    </format>
    <format type="number" field="Estimated_Impact">
      <option name="precision">0</option>
    </format>
    <format type="number" field="Avg_of_Diff1&amp;2">
      <option name="precision">0</option>
    </format>
    <format type="number" field="AvgOfFourWeeks_SameDay">
      <option name="precision">0</option>
      <option name="useThousandSeparators">false</option>
    </format>
    <format type="number" field="Avg_of_Diff_of_today_to_lastweek&amp;Diff_of_today_to_avgOfPrior4weeks">
      <option name="precision">0</option>
    </format>
    <format type="number" field="Diff_of_today_to_avgOfPrior4weeks">
      <option name="precision">0</option>
    </format>
  </table>
</panel>
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...