I have a Simple XML Dashboard using a Time Picker. Some panels are affected by the Time Picker, and some aren't. I'd like to specify in the panel title which panels are affected by the Time Picker by inserting the picked time into the panel.
I know how to do that using $token.earliest$ and $token.latest$, but Splunk provides much more aesthetic value in the time picker itself, e.g. "Today", "Yesterday", "During Wed, March 21, 2018". I'm wondering if that value is stored somewhere accessible to me.
I spent a couple of hours reading through the documentation that should be relevant (http://docs.splunk.com/Documentation/Splunk/7.0.2/Viz/PanelreferenceforSimplifiedXML & http://docs.splunk.com/Documentation/Splunk/7.0.2/Viz/tokens), but I couldn't find an answer.
Basically I want to know how to do this:
Sorry about last answer.
I'm not sure how to get that info from the tokens. But you could certainly create a new token in the dashboard, formatted the way you want, using EVAL and srtftime to put in the title of the panel.
Used this page for help with using eval and a time picker: https://answers.splunk.com/answers/334498/how-to-use-eval-on-a-token-from-a-time-picker-and.html
Ultimately, this does not work when picking dates such as "Today" or "Yesterday". srtftime outputs "Invalid Date"
It does work if you pick a date range, though.
see at http://docs.splunk.com/Documentation/Splunk/7.0.2/Viz/tokens the way to use tokens from a panel in panel's title.
Instead using token from Tome Picker,you could use
@ksextonmacb, The Preset names in the Time Picker come from
Time ranges User Interface element. While most of these are built in you can create custom Time Ranges from
Settings > User Interface > Time ranges menu, provided you have the access.
Time ranges can be access via the
REST API >
| rest services/data/ui/times
As far as you are picking up Time Ranges from
Presets section of the Time input, the above REST API call should give you the Selected Time Label. Else I have used
$job.latestTime$ to pick up and show static
To dates in
YYYY-mm-dd HH:MM:SS format. You can format as per your needs. Refer to my previous answer for getting the selected time from Time input: https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html
Following is a run anywhere dashboard code for the screenshot attached (please try out and confirm):
<form> <label>Preset Name based on Selection</label> <search> <query>| makeresults </query> <done> <eval token="tokManuallySelectedTime">"From ".strftime(strptime($job.earliestTime$,"%Y/%m/%d %H:%M:%S"),"%Y/%m/%d %H:%M:%S")." to ".strftime(strptime($job.latestTime$,"%Y/%m/%d %H:%M:%S"),"%Y/%m/%d %H:%M:%S")</eval> <eval token="tokEarliestTime">strptime($job.earliestTime$,"%Y/%m/%d %H:%M:%S")</eval> <eval token="tokLatestTime">strptime($job.latestTime$,"%Y/%m/%d %H:%M:%S")</eval> </done> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> </search> <fieldset submitButton="false"> <input type="time" token="tokTime" searchWhenChanged="true"> <label>Select Time</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>$tokDisplaySelectedTime$</title> <table> <search> <query>| rest services/data/ui/times | search earliest_time="$tokTime.earliest$" latest_time="$tokTime.latest$" | fields earliest_time latest_time label | append [| makeresults | eval earliest_time=strftime("$tokEarliestTime$","%Y/%m/%d %H:%M:%S"), latest_time=strftime("$tokLatestTime$","%Y/%m/%d %H:%M:%S"), label="$tokManuallySelectedTime$" | fields - _time] | head 1</query> <done> <condition match="$job.resultCount$==0"> <set token="tokDisplaySelectedTime">$tokManuallySelectedTime$</set> </condition> <condition> <set token="tokDisplaySelectedTime">$result.label$</set> </condition> </done> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">true</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>
That's more complicated that I'd anticipated, but it's exactly what I was looking for.
@ksextonmacb, if you
just want earliest time as relative time compared to what you have selected try the following run anywhere search (
However this will not account for latest time other than now ) which is based on reltime command which works on
| makeresults | addinfo | eval _time=info_min_time | fields _time | reltime
it's show "From Invalid date to Invalid date" when i choose date range, but when choose from relative time it works
my splunk version is 7.3.3, is there any change in this version
$label$ along with
<change> and been mostly successful with it. The only weak point is that it doesn't always pick up the default value on the first time the screen loads and will display the system default (still on 6.5.2, so it's "All time"). Code as follows:
<input type="time" searchWhenChanged="true"> <label>Enter time range</label> <default> <earliest>-1d@d</earliest> <latest>@d</latest> </default> <change> <set token="displayTime">($label$)</set> </change> </input>
Note that this only works for the simple values (Yesterday, etc.) But in this case I was looking to keep the dashboard as simple as possible.