Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using a time selector in a .dashboard - how can i make modifications to latest time in a query?

rvoninski_splun
Splunk Employee
Splunk Employee
‎06-02-2017 12:08 PM

I have a dashboard and set of queries where i want to give someone the ability to select the time range. A time range isnt really as important as giving me the selection for latest time. Since I am building queries based on that. Specifically in the example below I want to only show the data for the day previous to the latest time selected in other words I want to make the time selection

earliest=now-48hours(snap to day)

latest=now-24hours(snap to day)

Here is the query I am trying to use but it isnt working as written. The time token name is TimeRange

 <query>host=host123 index=security123 sourcetype="SplunkLog123" earliest=$TimeRange.latest$-2d@d latest=$TimeRange.latest$-1d@d</query>

Thanks for your help in advance.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-03-2017 09:53 AM

Like this:

<query>host=host123 index=security123 sourcetype="SplunkLog123" [|makeresults | earliest=$TimeRange.latest$-172800, latest=$TimeRange.latest$-86400| table earliest latest | format "" "" "" "" "" ""]</query>
0 Karma
Reply

micahkemp
Champion
‎06-02-2017 12:18 PM

You can set earliest/latest using a subsearch if necessary. In this case, you can set earliest using an eval based on info_max_time, created via addinfo.

Try this, which should set earliest to be essentially latest-1d:

host=host123 index=security123 sourcetype="SplunkLog123"  [| makeresults | addinfo | eval earliest=relative_time(info_max_time, "-1d") | table earliest]

Edit:

Try this instead:

[| makeresults | addinfo | eval earliest=relative_time(info_max_time, "-1d") | table earliest]  host=host123 index=security123 sourcetype="SplunkLog123"

I've seen issues before with Splunk interpreting earliest=/latest= as key/values pairs of the data itself (instead of time modifiers) if they aren't at the start of the query.

0 Karma
Reply

rvoninski_splun
Splunk Employee
Splunk Employee
‎06-02-2017 01:44 PM

LOL - I should have just emailed you Micah!!

Im not quite getting this to work yet - the query is returning by itself from within splunk search no results when the subsearch is added. by itself the subsearch is returning 

| makeresults  | addinfo | eval earliest=relative_time(info_max_time, "-1d") | table earliest

Result a one element table with the following value --> 1496349788.000000

Any idea on what to check? Have you been able to get this to run against your own queries with this subsearch?

Thanks.
RV

0 Karma
Reply

rvoninski_splun
Splunk Employee
Splunk Employee
‎06-02-2017 01:53 PM

So close - I think ive got it working we needed to modify the latest time to get the events to show the events i want . Only mod made 

[| makeresults | addinfo | eval latest=relative_time(info_max_time, "-1d") | table latest]

Going to test within dashboards now.

0 Karma
Reply
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! &#x1f389; ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...