Dashboards & Visualizations

Why is the dashboard time range picker not populating the last 10 days to now() ?

vemurisurya
Path Finder

In my dashboard, I am getting the Submit_Date max and min values which are taken from the timepicker. It select the date or time range. However, when it selects last 10 days to now, it's not working. Instead of latest now(), it's populating only now

| where Submit_Date >=$timer1.earliest$ AND Submit_Date <=$timer1.latest$
0 Karma
1 Solution

vemurisurya
Path Finder

| eval now=now() | where Submit_Date >= "$timer1.earliest$" AND Submit_Date <= "$timer1.latest$"

this hack is working for me |eval now=now()

View solution in original post

0 Karma

@vemurisurya, Submit_Date seems to be a date field from event. Does it contain epoch time or string time?

You would need to make sure Submit_Date to epoch time, if not use strptime() to convert to epoch time. Also, if you are using Time Picker input for earliest and latest tokens you have to make sure it returns epoch time as well?

Refer to the following answer using earliest and latest tokens from Time Picker input as epoch time: https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

somesoni2
Revered Legend

Assuming you want to use same time range picket that you've in your dashboard, to filter events by different date fields, try like this (assuming your date fields have human-readable timestamp with format %Y-%m-%d %H:%M:%S. If it's different, update line 2 with that)

your current search
| eval filterDateEpoch=strptime('Submit_Date',"%Y-%m-%d %H:%M:%S")
| addinfo 
| where filterDateEpoch>=info_min_time AND Submit_Date <=info_max_time | fields - info_min_time info_max_time info_search_time info_sid filterDateEpoch

The addinfo command add current search's time range (earliest and latest) as field info_min_time (i.e. earliest) and info_max_time (i.e. latest) with value in epoch format to all events. Line two will convert your date field to epoch value so that it can be compared.

vemurisurya
Path Finder

| eval now=now() | where Submit_Date >= "$timer1.earliest$" AND Submit_Date <= "$timer1.latest$"

this hack is working for me |eval now=now()

0 Karma

somesoni2
Revered Legend

Is the timer1 also used as time range in your dashboard search OR you use some different timerange picker for it?

0 Karma

vemurisurya
Path Finder

All the panels are using same time picker

0 Karma

somesoni2
Revered Legend

So do you have two time range picker in your dashboard or just one?

0 Karma

vemurisurya
Path Finder

just one

0 Karma

493669
Super Champion

try to add these tokens in header of tabel/panel to know what values are being set..

<title>earliest=$timer1.earliest$ and latest=$timer1.latest$</title>

0 Karma

vemurisurya
Path Finder

Hi,
Here in the problem, in my panels time fields are different i panel has Submit_Date other one Create_date other has closed_date
_time and the filed dates are different

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...