Dashboards & Visualizations

Why is the dashboard time range picker not populating the last 10 days to now() ?

Path Finder

In my dashboard, I am getting the Submit_Date max and min values which are taken from the timepicker. It select the date or time range. However, when it selects last 10 days to now, it's not working. Instead of latest now(), it's populating only now

| where Submit_Date >=$timer1.earliest$ AND Submit_Date <=$timer1.latest$
0 Karma
1 Solution

Path Finder

| eval now=now() | where Submit_Date >= "$timer1.earliest$" AND Submit_Date <= "$timer1.latest$"

this hack is working for me |eval now=now()

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

@vemurisurya, Submit_Date seems to be a date field from event. Does it contain epoch time or string time?

You would need to make sure Submit_Date to epoch time, if not use strptime() to convert to epoch time. Also, if you are using Time Picker input for earliest and latest tokens you have to make sure it returns epoch time as well?

Refer to the following answer using earliest and latest tokens from Time Picker input as epoch time: https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

Assuming you want to use same time range picket that you've in your dashboard, to filter events by different date fields, try like this (assuming your date fields have human-readable timestamp with format %Y-%m-%d %H:%M:%S. If it's different, update line 2 with that)

your current search
| eval filterDateEpoch=strptime('Submit_Date',"%Y-%m-%d %H:%M:%S")
| addinfo 
| where filterDateEpoch>=info_min_time AND Submit_Date <=info_max_time | fields - info_min_time info_max_time info_search_time info_sid filterDateEpoch

The addinfo command add current search's time range (earliest and latest) as field infomintime (i.e. earliest) and infomaxtime (i.e. latest) with value in epoch format to all events. Line two will convert your date field to epoch value so that it can be compared.

Path Finder

| eval now=now() | where Submit_Date >= "$timer1.earliest$" AND Submit_Date <= "$timer1.latest$"

this hack is working for me |eval now=now()

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Is the timer1 also used as time range in your dashboard search OR you use some different timerange picker for it?

0 Karma

Path Finder

All the panels are using same time picker

0 Karma

SplunkTrust
SplunkTrust

So do you have two time range picker in your dashboard or just one?

0 Karma

Path Finder

just one

0 Karma

Super Champion

try to add these tokens in header of tabel/panel to know what values are being set..

<title>earliest=$timer1.earliest$ and latest=$timer1.latest$</title>

0 Karma

Path Finder

Hi,
Here in the problem, in my panels time fields are different i panel has SubmitDate other one Createdate other has closed_date
_time and the filed dates are different

0 Karma