Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Using Time Picker Tokens in Other Search Time

dsitek
Explorer
‎07-11-2019 12:35 PM

I am trying to create a dashboard in which the results of one query can be compared to the results of the same query from 24 hours prior. Due to the volume of events that my search generates, it is best to keep the timeframe restricted to 15 minutes (or similar short spans). Is there a way to use the time tokens of one search to set the timeframe for the search for the day prior e.g. from 2:00 to 2:15 on 7/11/19 as compared to 2:00 to 2:15 on 7/10/19?
I have tried using the default tokens of $time1.earliest$ and $time1.latest$ in another searches time quantifiers, but $time1.earliest$-24h and $time1.latest$-24h gives an error, saying that the latest time can not be before earlier time.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎07-18-2019 06:28 PM

@dsitek refer to one of my older answer with two approaches to get the epoch earliest and latest time from Time Picker using either independent search or <eval>. Whichever approach you use you can subtract 86400 to get epoch time with -24h

https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

Let us know if you need further assistance.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎07-18-2019 06:28 PM

@dsitek refer to one of my older answer with two approaches to get the epoch earliest and latest time from Time Picker using either independent search or <eval>. Whichever approach you use you can subtract 86400 to get epoch time with -24h

https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

Let us know if you need further assistance.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

dsitek
Explorer
‎07-19-2019 10:36 AM

@niketnilay I was able to use your solution to convert the time tokens into epochs so that I could use them in my second search and run it a single day prior to the first search. Thank you so much.
For those who do not wish to read the full solution, I added the following search to the top of my dashboard:
`Access Logs Test

<query>| makeresults
 </query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
<done>
  <eval token="tokEarliestTime1">strptime($job.earliestTime$,"%Y/%m/%d %H:%M:%S %p")</eval>
  <eval token="tokLatestTime1">strptime($job.latestTime$,"%Y/%m/%d %H:%M:%S %p")</eval>
  <eval token="tokEarliestTime2">tokEarliestTime1-86400</eval>
  <eval token="tokLatestTime2">tokLatestTime1-86400</eval>
</done>`

I then used the tokens tokEarliestTime2 and tokLatestTime2 as the time tokens for my second search.

Reply
Solved! Jump to solution

niketn
Legend
‎07-19-2019 08:06 PM

Glad it worked for you! Have an awesome weekend ahead!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

dsitek
Explorer
‎07-19-2019 10:11 PM

You as well!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...