Dashboards & Visualizations

Use Timepicker Token With Field

IRHM73
Motivator

Hi,

I wonder whether someone could help me please.

I'm using a query which interrogates a Summary Index containing two fields called Epoch_STime and Epoch_ETime.

I'm then using the query in a dashboard panel which includes a timepicker called "timerange".

What I'm trying to do is set the earliest time from the timepicker to the Epoch_STime and the latest date of the timepicker to Epoch_ETime.

I've tried earliest=$Epoch_Stime$ and the same for the latest time , but I can't get this to work.

Could someone possibly look at this please and let me know where I've gone wrong?

Many thanks and kind regards

Chris

1 Solution

sdchakraborty
Contributor

Hi,

If I understand your question correctly you need to set the time picker earliest and latest value based on field value right? Can you please have a look at the below code snippet and see whether its satisfying your requirement?

<form>
  <label>demo</label>
  <search id="base_search">
    <query>
     | makeresults
| eval Epoch_STime=strptime("02/26/2019","%m/%d/%Y"), Epoch_ETime=strptime("02/28/2019","%m/%d/%Y") 
    </query>
    <done>
      <set token="form.time.earliest">$result.Epoch_STime$</set>
      <set token="form.time.latest">$result.Epoch_ETime$</set>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="time">
      <label>Time</label>
      <default>
        <earliest>0</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
</form>

View solution in original post

a1bg503461
Explorer

Hello all,

This thread was very helpful to me and i described my picked time period in the dashboard panel description . 
I used the progress tag :

 

      <eval token="a1_jobEarliest">strptime($job.earliestTime$,"%Y-%m-%d_%H:%M:%S")</eval>
      <eval token="a1_jobLatest">strptime($job.latestTime$,"%Y-%m-%d_%H:%M:%S")</eval>
      <set token="a1_jobEarliest">$job.earliestTime$</set>
      <set token="a1_jobLatest">$job.latestTime$</set>
      


However I still get formatting details that I dont need ( underlined in blue are miliseconds) :

a1bg503461_1-1731590325494.png

 

 

 

0 Karma

sdchakraborty
Contributor

Hi,

If I understand your question correctly you need to set the time picker earliest and latest value based on field value right? Can you please have a look at the below code snippet and see whether its satisfying your requirement?

<form>
  <label>demo</label>
  <search id="base_search">
    <query>
     | makeresults
| eval Epoch_STime=strptime("02/26/2019","%m/%d/%Y"), Epoch_ETime=strptime("02/28/2019","%m/%d/%Y") 
    </query>
    <done>
      <set token="form.time.earliest">$result.Epoch_STime$</set>
      <set token="form.time.latest">$result.Epoch_ETime$</set>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="time">
      <label>Time</label>
      <default>
        <earliest>0</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
</form>

IRHM73
Motivator

Hi @sdchakraborty . Thank you for coming back to me with this.

No it's the other way around, so when the user selects the 'timepicker' time range it extracts the correct data using the Epoch time fields.

Many thanks and kind regards

Chris

0 Karma

sdchakraborty
Contributor

Hi,
You can do something like this. Please have a look at the run anywhere code below,

<form>
  <label>demo</label>
  <search id="base_search">
    <query>|makeresults</query>
    <earliest>$time.earliest$</earliest>
    <latest>$time.latest$</latest>
    <progress>
      <eval token="toEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
      <eval token="toLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
      <set token="jobEarliest">$job.earliestTime$</set>
      <set token="jobLatest">$job.latestTime$</set>
    </progress>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="time">
      <label>Time</label>
      <default>
        <earliest>0</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults count=2
|  streamstats count
 | eval Epoch_Time=case(count=1,strptime("02/26/2019","%m/%d/%Y"), count=2,strptime("02/28/2019","%m/%d/%Y"))
| eval formatted_time = strftime(Epoch_Time,"%m/%d/%Y")
| table Epoch_Time, formatted_time
| eval earliest = $toEarliest$ | eval latest = if($toLatest$ &lt; 0,now(),$toLatest$) |  where Epoch_Time &gt;= earliest AND Epoch_Time &lt;= latest</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>
0 Karma

IRHM73
Motivator

Hi @sdchakraborty . Thank you for coming back to me.

I'm sorry to ask particularly as you've been so helpful but which element do I use in my dashboard. I'm having a little difficulty in following the data/field journey?

Many thanks and kind regards

Chris

0 Karma

sdchakraborty
Contributor

Hi Chris,

Let me explain whats going on there. The main problem statement is you need to select some date range from your dashboard time picker and that should filter out data based on another field (Epoch_STime and Epoch_ETime). Now as we know time picker will always go by _time field. So we need to do some customization. That why the base search I have created.

Its just running a dummy search with our dashboard time picker earliest and latest value and setting up couple of tokens (toEarliest and toLatest) which we are going to use in our panel level search.

  <search id="base_search">
     <query>|makeresults</query>
     <earliest>$time.earliest$</earliest>
     <latest>$time.latest$</latest>
     <progress>
       <eval token="toEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
       <eval token="toLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
       <set token="jobEarliest">$job.earliestTime$</set>
       <set token="jobLatest">$job.latestTime$</set>
     </progress>
   </search>

Now at the panel level we are applying those two tokens we set before and the filteration logic is to get the events where Epoch_STime and Epoch_ETime range is matching with toEarliest and toLatest range. If you understand this I think you should be able to determine what changes you need to do in your dashboard.

Btw I have discussed the same thing below as well. Please have a look.

Part 1 : https://youtu.be/SiXshUxhmcc
Part 2 : https://youtu.be/1fIWEqmxKEg
Part 3 : https://youtu.be/OzEb7Q-fuXs
Part 4 : https://youtu.be/K_PeZvkVFOA

Sid

0 Karma

IRHM73
Motivator

Hi, @sdchakraborty. Thank you for coming back to me and I'm sorry it's taken a while to come back to you. I've been working through this, but I can't get the 'timepicker' to load the data.

Could you possible have a look at my XML below please and let me know where I've gone wrong?

<form>
  <label>CODE</label>
  <fieldset submitButton="false">
    <input type="time" token="time" searchWhenChanged="true">
      <label>Select the Time Range</label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
         <progress>
       <eval token="toEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
       <eval token="toLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
       <set token="jobEarliest">$job.earliestTime$</set>
       <set token="jobLatest">$job.latestTime$</set>
     </progress>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Extract Data</title>
        <search>
          <query><<Main part of query>>
| eval earliest = $toEarliest$ | eval latest = if($toLatest$ &lt; 0,now(),$toLatest$) |  where Epoch_STime &gt;= earliest AND Epoch_ETime &lt;= latest
</query>
        </search>
      </table>
    </panel>
  </row>
</form>

Many thanks and kind regards

Chris

0 Karma

sdchakraborty
Contributor

Hi Chris,

The below code is in wrong place. Progess tag has to be under a search.

 <progress>
        <eval token="toEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
        <eval token="toLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
        <set token="jobEarliest">$job.earliestTime$</set>
        <set token="jobLatest">$job.latestTime$</set>
      </progress>
0 Karma

IRHM73
Motivator

Hi @sdchakraborty.

Thank you for coming back to me with this.

I've amended the code to the following:

      <input type="time" token="time" searchWhenChanged="true">
         <label>Select the Time Range</label>
         <default>
            <earliest>-7d@h</earliest>
            <latest>now</latest>
         </default>
      </input> 
      <panel>
         <table>
            <title>Extract Data</title>
            <search>
               <query><<Main Query>>
| eval earliest = $toEarliest$ | eval latest = if($toLatest$ &lt; 0,now(),$toLatest$) |  where Epoch_STime &gt;=earliest AND Epoch_ETime &lt;=latest
               <earliest>$time.earliest$</earliest>
               <latest>$time.latest$</latest>
               <progress>
                  <eval token="toEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
                  <eval token="toLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
                  <set token="jobEarliest">$job.earliestTime$</set>
                  <set token="jobLatest">$job.latestTime$</set>
               </progress>
            </search>
         </table>
      </panel>

The data is now being returned, so thank you for this, but it is not filtering the data to match the timepicker.

Is there any chance you could look at this please and let me know where I've gone wrong.

Many thanks and kind regards

Chris

0 Karma

sdchakraborty
Contributor

Hi Chris,

That is wrong again,...I have created a simplistic dashboard. Please have a look. You can change the dates at the panel level and test.

<form>
      <search>
        <query>|makeresults</query>
    <earliest>$time.earliest$</earliest>
    <latest>$time.latest$</latest>
    <progress>
      <eval token="toEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S..%3N%z")</eval>
      <eval token="toLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S..%3N%z")</eval>
      <set token="jobEarliest">$job.earliestTime$</set>
      <set token="jobLatest">$job.latestTime$</set>
    </progress>
      </search>
  <label>demo1</label>
  <fieldset submitButton="false">
    <input type="time" token="time">
      <label>Time Picker</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults count=2
| streamstats count
| eval date_time = case(count=1,"2019-02-28T3:26:59.676Z",count=2,"2019-02-28T3:26:53.391Z")
| eval date_time_epoch = strptime(date_time,"%Y-%m-%dT%H:%M:%S..%3N")
| table _time,date_time,date_time_epoch
| eval earliest = $toEarliest$ | eval latest = if($toLatest$ &lt; 0,now(),$toLatest$) |  where date_time_epoch &gt;= earliest AND date_time_epoch &lt;= latest</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>
0 Karma

IRHM73
Motivator

Hi @sdchakraborty .

Thank you for this. I've been through this again and I've finally got this to work. Thank you so much for your help.

But would it possible, because I want to learn from this, that you could explain the rationale behind the need to use the first query?

Many thanks and kind regards

Chris

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...