Solved: Why is Classic Time picker not cloned in dashboard...

marksheinbaum · ‎05-24-2023

I'm experimenting with converting a classic dashboard to dashboard studio. The classic dashboard has a time picker used to establish a date range for searches in the panels. When I cloned the dashboard to dashboard studio, the time picker is no longer used. All the searches, are searching from the earliest date stored in Splunk which is several years worth of data. Can someone explain what is happening and how to fix. This should be a relatively simple thing to do.

ITWhisperer · ‎05-25-2023

So your earliest and latest are set to "all time" - change them to

		"latest": "$global_time.latest$",
		"earliest": "$global_time.earliest$"

View solution in original post

marksheinbaum · ‎05-28-2023

I accepted the solution. However, I'm surprised that the cloning process does not generate that automatically.

ITWhisperer · ‎05-24-2023

If you look at the source of the Studio Dashboard, you should be able to see which timepicker is being used. It is possibly global. Try changing this to your named timepicker.

	"defaults": {
		"dataSources": {
			"ds.search": {
				"options": {
					"queryParameters": {
						"latest": "$global_time.latest$",
						"earliest": "$global_time.earliest$"
					}
				}
			}
		}
	},

marksheinbaum · ‎05-24-2023

Here's the code from the converted and unmodified dashboard. It's not clear to me exactly what to change per your advise. Can you please clarify? Thanks.

"inputs": {

"input_1": {

"type": "input.timerange",

"title": "Select a time:",

"options": {

"token": "global_time",

"defaultValue": "-60m@m,now"

}

},

ITWhisperer · ‎05-24-2023

That looks OK for a timepicker. What about how the datasources are defined? And the defaults?

marksheinbaum · ‎05-24-2023

Here's how the visualization and corresponding data source are defined. I don't see a "default" in the code.

"visualizations": {

"viz_chart_1": {

"type": "splunk.line",

"dataSources": {

"primary": "ds_search_1"

},

"showProgressBar": true,

"title": "nodesim instances ram usage (ps)",

"options": {

"yAxisAbbreviation": "auto",

"y2AxisAbbreviation": "off",

"showRoundedY2AxisLabels": false,

"legendTruncation": "ellipsisEnd",

"showY2MajorGridLines": true,

"yAxisMajorTickInterval": 1,

"yAxisTitleText": "Megabytes",

"nullValueDisplay": "connect",

"dataValuesDisplay": "off",

"legendDisplay": "bottom"

},

"context": {}

},

"dataSources": {

"ds_search_1": {

"type": "ds.search",

"options": {

"query": "index=os (sourcetype=ps OR sourcetype=vmstat) (host=scale-sysperf-95x-install-18* ) (COMMAND=CURRENT* OR COMMAND=nodesim)\n| rename memTotalMB as physicalMB\n| appendpipe [ where sourcetype==\"vmstat\" | rename memUsedMB as physicalMB | eval App=\"Physical-Used\" | fields physicalMB]\n| stats count sum(RSZ_KB) as RSZ_KB_sum max(physicalMB) as physicalMB by _time host COMMAND\n| timechart span=1m avg(eval(if(isnull(physicalMB),RSZ_KB_sum/1000,physicalMB))) as AppRSZ_MB by host",

"queryParameters": {

"earliest": 0,

"latest": ""

}

},

ITWhisperer · ‎05-25-2023

So your earliest and latest are set to "all time" - change them to

		"latest": "$global_time.latest$",
		"earliest": "$global_time.earliest$"

Why is Classic Time picker not cloned in dashboard studio?

Dashboard Studio

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...