Dashboards & Visualizations

Timeinput and token

Engager

I have a dashboard where I need to users to be able to select from the time input . When a time is selected from the input I need it to stored into the timefinder token so it can be used to find data for current(the time selected from picker) , timefinder-1week ago, timefinder-2 weeks ago, timefinder-3 weeks ago and time_finder-4 weeks ago.

This is how I have the tokens set now.

    <eval token="earliestTime">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-0d")</eval>    
    <eval token="latestTime">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-0d")</eval>  
    <eval token="earliestTime1">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-7d")</eval>        
    <eval token="latestTime1">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-6d")</eval>  
    <eval token="earliestTime2">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-14d")</eval>  
    <eval token="latestTime2">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-13d")</eval>  
    <eval token="earliestTime3">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-21d")</eval>  
    <eval token="latestTime3">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-20")</eval>  
    <eval token="earliestTime4">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-28")</eval>  
    <eval token="latestTime4">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-27d")</eval>  

What I use in my query to reference the tokens is this : earliest=$timefinder$ latest=$timefinder$

The error I am getting is "Search is waiting for input". How can I fix this? If my question does not make sense please let me know and I will clarify/provide more info. Thanks

0 Karma
1 Solution

Motivator

In response to the sample example you posted, Try this. Please mark as answer if this is what you were looking for

<form>
  <label>test_dash</label>
  <fieldset submitButton="false">
    <input type="time" token="time_finder" searchWhenChanged="true">
      <label>Time Picker</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
      <change>
        <eval token="earliestTime">if(isstr(earliest), relative_time(now(),earliest), earliest)</eval>
        <eval token="latestTime">if(isstr(latest), relative_time(now(),latest), latest)</eval>       
        <eval token="earliestTime1">relative_time(earliestTime,"-7d")</eval>
        <eval token="latestTime1">relative_time(latestTime,"-7d")</eval>
        <eval token="earliestTime2">relative_time(earliestTime,"-14d")</eval>
        <eval token="latestTime2">relative_time(latestTime,"-14d")</eval>
        <eval token="earliestTime3">relative_time(earliestTime,"-21d")</eval>
        <eval token="latestTime3">relative_time(latestTime,"-21d")</eval>
        <eval token="earliestTime4">relative_time(earliestTime,"-28d")</eval>
        <eval token="latestTime4">relative_time(latestTime,"-28d")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>XXXXXXXXX</title>
      <table>
        <search>
          <query>index=XX sourcetype=XX 
| bin _time span=5m 
| stats dc(ecn) as Now by _time 
| appendcols 
    [ search index=XX sourcetype=XX earliest=$earliestTime1$ latest=$latestTime1$ 
    | bin _time span=5m 
    | stats dc(ecn) as Count_SameDay_LastWeek by _time ] 
| appendcols 
    [ search index=XX sourcetype=XX earliest=$earliestTime2$ latest=$latestTime2$ 
    | bin _time span=5m 
    | stats dc(ecn) as TwoWeeksAgo by _time] 
| appendcols 
    [ search index=XX sourcetype=XX  earliest=$earliestTime3$ latest=$latestTime3$
    | bin _time span=5m 
    | stats dc(ecn) as ThreeWeeksAgo by _time] 
| appendcols 
    [ search index=XX sourcetype=XX earliest=$earliestTime4$ latest=$latestTime4$ 
    | bin _time span=5m 
    | stats dc(ecn) as FourWeeksAgo by _time] 
| eval ...... 
| fields .........</query>
          <earliest>$time_finder.earliest$</earliest>
          <latest>$time_finder.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <option name="totalsRow">false</option>
        <format type="number" field="Diff2">
          <option name="precision">0</option>
        </format>
        <format type="number" field="Estimated_Impact">
          <option name="precision">0</option>
        </format>
        <format type="number" field="Avg_of_Diff1&amp;2">
          <option name="precision">0</option>
        </format>
        <format type="number" field="AvgOfFourWeeks_SameDay">
          <option name="precision">0</option>
          <option name="useThousandSeparators">false</option>
        </format>
        <format type="number" field="Avg_of_Diff_of_today_to_lastweek&amp;Diff_of_today_to_avgOfPrior4weeks">
          <option name="precision">0</option>
        </format>
        <format type="number" field="Diff_of_today_to_avgOfPrior4weeks">
          <option name="precision">0</option>
        </format>
      </table>
    </panel>
  </row>
</form>

View solution in original post

Motivator

In response to the sample example you posted, Try this. Please mark as answer if this is what you were looking for

<form>
  <label>test_dash</label>
  <fieldset submitButton="false">
    <input type="time" token="time_finder" searchWhenChanged="true">
      <label>Time Picker</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
      <change>
        <eval token="earliestTime">if(isstr(earliest), relative_time(now(),earliest), earliest)</eval>
        <eval token="latestTime">if(isstr(latest), relative_time(now(),latest), latest)</eval>       
        <eval token="earliestTime1">relative_time(earliestTime,"-7d")</eval>
        <eval token="latestTime1">relative_time(latestTime,"-7d")</eval>
        <eval token="earliestTime2">relative_time(earliestTime,"-14d")</eval>
        <eval token="latestTime2">relative_time(latestTime,"-14d")</eval>
        <eval token="earliestTime3">relative_time(earliestTime,"-21d")</eval>
        <eval token="latestTime3">relative_time(latestTime,"-21d")</eval>
        <eval token="earliestTime4">relative_time(earliestTime,"-28d")</eval>
        <eval token="latestTime4">relative_time(latestTime,"-28d")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>XXXXXXXXX</title>
      <table>
        <search>
          <query>index=XX sourcetype=XX 
| bin _time span=5m 
| stats dc(ecn) as Now by _time 
| appendcols 
    [ search index=XX sourcetype=XX earliest=$earliestTime1$ latest=$latestTime1$ 
    | bin _time span=5m 
    | stats dc(ecn) as Count_SameDay_LastWeek by _time ] 
| appendcols 
    [ search index=XX sourcetype=XX earliest=$earliestTime2$ latest=$latestTime2$ 
    | bin _time span=5m 
    | stats dc(ecn) as TwoWeeksAgo by _time] 
| appendcols 
    [ search index=XX sourcetype=XX  earliest=$earliestTime3$ latest=$latestTime3$
    | bin _time span=5m 
    | stats dc(ecn) as ThreeWeeksAgo by _time] 
| appendcols 
    [ search index=XX sourcetype=XX earliest=$earliestTime4$ latest=$latestTime4$ 
    | bin _time span=5m 
    | stats dc(ecn) as FourWeeksAgo by _time] 
| eval ...... 
| fields .........</query>
          <earliest>$time_finder.earliest$</earliest>
          <latest>$time_finder.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <option name="totalsRow">false</option>
        <format type="number" field="Diff2">
          <option name="precision">0</option>
        </format>
        <format type="number" field="Estimated_Impact">
          <option name="precision">0</option>
        </format>
        <format type="number" field="Avg_of_Diff1&amp;2">
          <option name="precision">0</option>
        </format>
        <format type="number" field="AvgOfFourWeeks_SameDay">
          <option name="precision">0</option>
          <option name="useThousandSeparators">false</option>
        </format>
        <format type="number" field="Avg_of_Diff_of_today_to_lastweek&amp;Diff_of_today_to_avgOfPrior4weeks">
          <option name="precision">0</option>
        </format>
        <format type="number" field="Diff_of_today_to_avgOfPrior4weeks">
          <option name="precision">0</option>
        </format>
      </table>
    </panel>
  </row>
</form>

View solution in original post

Motivator

I'm guessing $time_finder$ is the name of the variable storing the time input. If yes, you need to do the following

earliest=$timefinder.earliest$ latest=$timefinder.latest$

0 Karma

Engager

Hey @arjunpkishore5

The dashboard works but say when I select Date & Range Between 11/13/2019 9:00 and 11/13/2019 10:00 what happens is that the table will display time for 8:00 to 10:00 but it fills in all the data between 8 and 9 with 0s for the first 2 columns, and than it starts to display all the data for 9 to 10. I need it to select the exact time and display it. My guess is that the issue is coming from the way the tokens are set on the dashboard? Any idea on how to fix this issue?

     <eval token="earliestTime">if(isstr(earliest), relative_time(now(),earliest), earliest)</eval>
     <eval token="latestTime">if(isstr(latest), relative_time(now(),latest), latest)</eval>       
     <eval token="earliestTime1">relative_time(earliestTime,"-7d")</eval>
     <eval token="latestTime1">relative_time(latestTime,"-7d")</eval>
     <eval token="earliestTime2">relative_time(earliestTime,"-14d")</eval>
     <eval token="latestTime2">relative_time(latestTime,"-14d")</eval>
     <eval token="earliestTime3">relative_time(earliestTime,"-21d")</eval>
     <eval token="latestTime3">relative_time(latestTime,"-21d")</eval>
     <eval token="earliestTime4">relative_time(earliestTime,"-28d")</eval>
     <eval token="latestTime4">relative_time(latestTime,"-28d")</eval>
   </change>
0 Karma

Engager

I made the change but it does not work.

0 Karma

Engager

If I use earliest=$timefinder.earliest$ latest=$timefinder.latest$ , would I need 4 sets or earliest and latest?

0 Karma

Engager

Hey arjunkishore5. I did not make the properly make the changes you posted to my code, but your solution works just fine! Thank you!

0 Karma

Motivator

Can you post the complete XML for the time input

0 Karma

Engager

XXXXXX

<input type="time" token="time_finder" searchWhenChanged="true">
  <label>Time Picker</label>
  <default>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </default>
  <change>
    <eval token="earliestTime">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-0d")</eval>    
    <eval token="latestTime">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-0d")</eval>  
    <eval token="earliestTime1">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-7d")</eval>        
    <eval token="latestTime1">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-6d")</eval>  
    <eval token="earliestTime2">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-14d")</eval>  
    <eval token="latestTime2">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-13d")</eval>  
    <eval token="earliestTime3">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-21d")</eval>  
    <eval token="latestTime3">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-20")</eval>  
    <eval token="earliestTime4">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-28")</eval>  
    <eval token="latestTime4">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-27d")</eval>  
  </change>
</input>


<panel>
  <title>XXXXXXXX</title>
  <table>

    <search>
      <query>index=XX sourcetype=XX | bin _time span=5m | stats dc(ecn) as Now  by _time | appendcols [ search index=XX sourcetype=XX earliest=$earliestTime1.earliest$ latest=$latestTime1.latest$ | bin _time span=5m  |stats dc(ecn) as Count_SameDay_LastWeek by _time ] | appendcols [search index=XX sourcetype=XX  earliest=$earliestTime2.earliest$ latest=$latestTime2.latest$  | bin _time span=5m  |stats dc(ecn) as TwoWeeksAgo by _time] | appendcols [search index=XX sourcetype=XX  | bin _time span=5m  |stats dc(ecn) as ThreeWeeksAgo by _time] | appendcols [search index=XX sourcetype=XX  earliest=$earliestTime4$ latest=$latestTime4.latest$  | bin _time span=5m  |stats dc(ecn) as FourWeeksAgo by _time] | eval ...... | fields .........</query>
      <earliest>$earliest.earliest$</earliest>
      <latest>$latest.latest$</latest>
    </search>
    <option name="count">10</option>
    <option name="drilldown">cell</option>
    <option name="refresh.display">progressbar</option>
    <option name="totalsRow">false</option>
    <format type="number" field="Diff2">
      <option name="precision">0</option>
    </format>
    <format type="number" field="Estimated_Impact">
      <option name="precision">0</option>
    </format>
    <format type="number" field="Avg_of_Diff1&amp;2">
      <option name="precision">0</option>
    </format>
    <format type="number" field="AvgOfFourWeeks_SameDay">
      <option name="precision">0</option>
      <option name="useThousandSeparators">false</option>
    </format>
    <format type="number" field="Avg_of_Diff_of_today_to_lastweek&amp;Diff_of_today_to_avgOfPrior4weeks">
      <option name="precision">0</option>
    </format>
    <format type="number" field="Diff_of_today_to_avgOfPrior4weeks">
      <option name="precision">0</option>
    </format>
  </table>
</panel>
0 Karma