Hi,
I wonder whether someone could help me please.
I'm using a query which interrogates a Summary Index containing two fields called Epoch_STime and Epoch_ETime.
I'm then using the query in a dashboard panel which includes a timepicker called "timerange".
What I'm trying to do is set the earliest time from the timepicker to the Epoch_STime and the latest date of the timepicker to Epoch_ETime.
I've tried earliest=$Epoch_Stime$ and the same for the latest time , but I can't get this to work.
Could someone possibly look at this please and let me know where I've gone wrong?
Many thanks and kind regards
Chris
Hi,
If I understand your question correctly you need to set the time picker earliest and latest value based on field value right? Can you please have a look at the below code snippet and see whether its satisfying your requirement?
<form>
<label>demo</label>
<search id="base_search">
<query>
| makeresults
| eval Epoch_STime=strptime("02/26/2019","%m/%d/%Y"), Epoch_ETime=strptime("02/28/2019","%m/%d/%Y")
</query>
<done>
<set token="form.time.earliest">$result.Epoch_STime$</set>
<set token="form.time.latest">$result.Epoch_ETime$</set>
</done>
</search>
<fieldset submitButton="false">
<input type="time" token="time">
<label>Time</label>
<default>
<earliest>0</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
</form>
Hello all,
This thread was very helpful to me and i described my picked time period in the dashboard panel description .
I used the progress tag :
<eval token="a1_jobEarliest">strptime($job.earliestTime$,"%Y-%m-%d_%H:%M:%S")</eval>
<eval token="a1_jobLatest">strptime($job.latestTime$,"%Y-%m-%d_%H:%M:%S")</eval>
<set token="a1_jobEarliest">$job.earliestTime$</set>
<set token="a1_jobLatest">$job.latestTime$</set>
However I still get formatting details that I dont need ( underlined in blue are miliseconds) :
Hi,
If I understand your question correctly you need to set the time picker earliest and latest value based on field value right? Can you please have a look at the below code snippet and see whether its satisfying your requirement?
<form>
<label>demo</label>
<search id="base_search">
<query>
| makeresults
| eval Epoch_STime=strptime("02/26/2019","%m/%d/%Y"), Epoch_ETime=strptime("02/28/2019","%m/%d/%Y")
</query>
<done>
<set token="form.time.earliest">$result.Epoch_STime$</set>
<set token="form.time.latest">$result.Epoch_ETime$</set>
</done>
</search>
<fieldset submitButton="false">
<input type="time" token="time">
<label>Time</label>
<default>
<earliest>0</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
</form>
Hi @sdchakraborty . Thank you for coming back to me with this.
No it's the other way around, so when the user selects the 'timepicker' time range it extracts the correct data using the Epoch time fields.
Many thanks and kind regards
Chris
Hi,
You can do something like this. Please have a look at the run anywhere code below,
<form>
<label>demo</label>
<search id="base_search">
<query>|makeresults</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<progress>
<eval token="toEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
<eval token="toLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
<set token="jobEarliest">$job.earliestTime$</set>
<set token="jobLatest">$job.latestTime$</set>
</progress>
</search>
<fieldset submitButton="false">
<input type="time" token="time">
<label>Time</label>
<default>
<earliest>0</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| makeresults count=2
| streamstats count
| eval Epoch_Time=case(count=1,strptime("02/26/2019","%m/%d/%Y"), count=2,strptime("02/28/2019","%m/%d/%Y"))
| eval formatted_time = strftime(Epoch_Time,"%m/%d/%Y")
| table Epoch_Time, formatted_time
| eval earliest = $toEarliest$ | eval latest = if($toLatest$ < 0,now(),$toLatest$) | where Epoch_Time >= earliest AND Epoch_Time <= latest</query>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
Hi @sdchakraborty . Thank you for coming back to me.
I'm sorry to ask particularly as you've been so helpful but which element do I use in my dashboard. I'm having a little difficulty in following the data/field journey?
Many thanks and kind regards
Chris
Hi Chris,
Let me explain whats going on there. The main problem statement is you need to select some date range from your dashboard time picker and that should filter out data based on another field (Epoch_STime and Epoch_ETime). Now as we know time picker will always go by _time field. So we need to do some customization. That why the base search I have created.
Its just running a dummy search with our dashboard time picker earliest and latest value and setting up couple of tokens (toEarliest and toLatest) which we are going to use in our panel level search.
<search id="base_search">
<query>|makeresults</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<progress>
<eval token="toEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
<eval token="toLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
<set token="jobEarliest">$job.earliestTime$</set>
<set token="jobLatest">$job.latestTime$</set>
</progress>
</search>
Now at the panel level we are applying those two tokens we set before and the filteration logic is to get the events where Epoch_STime and Epoch_ETime range is matching with toEarliest and toLatest range. If you understand this I think you should be able to determine what changes you need to do in your dashboard.
Btw I have discussed the same thing below as well. Please have a look.
Part 1 : https://youtu.be/SiXshUxhmcc
Part 2 : https://youtu.be/1fIWEqmxKEg
Part 3 : https://youtu.be/OzEb7Q-fuXs
Part 4 : https://youtu.be/K_PeZvkVFOA
Sid
Hi, @sdchakraborty. Thank you for coming back to me and I'm sorry it's taken a while to come back to you. I've been working through this, but I can't get the 'timepicker' to load the data.
Could you possible have a look at my XML below please and let me know where I've gone wrong?
<form>
<label>CODE</label>
<fieldset submitButton="false">
<input type="time" token="time" searchWhenChanged="true">
<label>Select the Time Range</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
<progress>
<eval token="toEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
<eval token="toLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
<set token="jobEarliest">$job.earliestTime$</set>
<set token="jobLatest">$job.latestTime$</set>
</progress>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Extract Data</title>
<search>
<query><<Main part of query>>
| eval earliest = $toEarliest$ | eval latest = if($toLatest$ < 0,now(),$toLatest$) | where Epoch_STime >= earliest AND Epoch_ETime <= latest
</query>
</search>
</table>
</panel>
</row>
</form>
Many thanks and kind regards
Chris
Hi Chris,
The below code is in wrong place. Progess tag has to be under a search.
<progress>
<eval token="toEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
<eval token="toLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
<set token="jobEarliest">$job.earliestTime$</set>
<set token="jobLatest">$job.latestTime$</set>
</progress>
Hi @sdchakraborty.
Thank you for coming back to me with this.
I've amended the code to the following:
<input type="time" token="time" searchWhenChanged="true">
<label>Select the Time Range</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<panel>
<table>
<title>Extract Data</title>
<search>
<query><<Main Query>>
| eval earliest = $toEarliest$ | eval latest = if($toLatest$ < 0,now(),$toLatest$) | where Epoch_STime >=earliest AND Epoch_ETime <=latest
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<progress>
<eval token="toEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
<eval token="toLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
<set token="jobEarliest">$job.earliestTime$</set>
<set token="jobLatest">$job.latestTime$</set>
</progress>
</search>
</table>
</panel>
The data is now being returned, so thank you for this, but it is not filtering the data to match the timepicker.
Is there any chance you could look at this please and let me know where I've gone wrong.
Many thanks and kind regards
Chris
Hi Chris,
That is wrong again,...I have created a simplistic dashboard. Please have a look. You can change the dates at the panel level and test.
<form>
<search>
<query>|makeresults</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<progress>
<eval token="toEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S..%3N%z")</eval>
<eval token="toLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S..%3N%z")</eval>
<set token="jobEarliest">$job.earliestTime$</set>
<set token="jobLatest">$job.latestTime$</set>
</progress>
</search>
<label>demo1</label>
<fieldset submitButton="false">
<input type="time" token="time">
<label>Time Picker</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| makeresults count=2
| streamstats count
| eval date_time = case(count=1,"2019-02-28T3:26:59.676Z",count=2,"2019-02-28T3:26:53.391Z")
| eval date_time_epoch = strptime(date_time,"%Y-%m-%dT%H:%M:%S..%3N")
| table _time,date_time,date_time_epoch
| eval earliest = $toEarliest$ | eval latest = if($toLatest$ < 0,now(),$toLatest$) | where date_time_epoch >= earliest AND date_time_epoch <= latest</query>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
Hi @sdchakraborty .
Thank you for this. I've been through this again and I've finally got this to work. Thank you so much for your help.
But would it possible, because I want to learn from this, that you could explain the rationale behind the need to use the first query?
Many thanks and kind regards
Chris