Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using Time Picker Tokens in Other Search Time

dsitek
Explorer
‎07-11-2019 12:35 PM

I am trying to create a dashboard in which the results of one query can be compared to the results of the same query from 24 hours prior. Due to the volume of events that my search generates, it is best to keep the timeframe restricted to 15 minutes (or similar short spans). Is there a way to use the time tokens of one search to set the timeframe for the search for the day prior e.g. from 2:00 to 2:15 on 7/11/19 as compared to 2:00 to 2:15 on 7/10/19?
I have tried using the default tokens of $time1.earliest$ and $time1.latest$ in another searches time quantifiers, but $time1.earliest$-24h and $time1.latest$-24h gives an error, saying that the latest time can not be before earlier time.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎07-18-2019 06:28 PM

@dsitek refer to one of my older answer with two approaches to get the epoch earliest and latest time from Time Picker using either independent search or <eval>. Whichever approach you use you can subtract 86400 to get epoch time with -24h

https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

Let us know if you need further assistance.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎07-18-2019 06:28 PM

@dsitek refer to one of my older answer with two approaches to get the epoch earliest and latest time from Time Picker using either independent search or <eval>. Whichever approach you use you can subtract 86400 to get epoch time with -24h

https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

Let us know if you need further assistance.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

dsitek
Explorer
‎07-19-2019 10:36 AM

@niketnilay I was able to use your solution to convert the time tokens into epochs so that I could use them in my second search and run it a single day prior to the first search. Thank you so much.
For those who do not wish to read the full solution, I added the following search to the top of my dashboard:
`Access Logs Test

<query>| makeresults
 </query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
<done>
  <eval token="tokEarliestTime1">strptime($job.earliestTime$,"%Y/%m/%d %H:%M:%S %p")</eval>
  <eval token="tokLatestTime1">strptime($job.latestTime$,"%Y/%m/%d %H:%M:%S %p")</eval>
  <eval token="tokEarliestTime2">tokEarliestTime1-86400</eval>
  <eval token="tokLatestTime2">tokLatestTime1-86400</eval>
</done>`

I then used the tokens tokEarliestTime2 and tokLatestTime2 as the time tokens for my second search.

Reply
Solved! Jump to solution

niketn
Legend
‎07-19-2019 08:06 PM

Glad it worked for you! Have an awesome weekend ahead!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

dsitek
Explorer
‎07-19-2019 10:11 PM

You as well!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...