Dashboards & Visualizations

Why is the time Input Token(Range) not working in our dashboard panel query?

sureshkrovi
Explorer

Hi,

Can you please help me to understand how to use the time input token range for the below scenarios? I'm having issues dealing with the time range filter in dashboard query.

  • Oracle table added to splunk using DBconnect
    ProviderID Booked_Date Time Visit_Type
    1 11/1/2018 10AM Office
    1 11/1/2018 11AM Telephone
    2 11/2/2018 10AM Telephone
    3 11/5/2018 3PM Office

  • Look up crated to get Name for provider ID that is working good with static query.

index="booking_history" | dbxlookup lookup=PROVIDER_LOOKUP | eval myDate=strptime(BOOKED_DATE, "%Y-%m-%d")
| where myDate=strptime("11/1/2018", "%Y-%m-%d") | chart count(VISIT_TYPE_CID) over APPT_DATE by VISIT_TYPE_NAME

  • Time input field(form( created with token "time_input" and below query returns no records though splunk have events.

index="booking_history" | dbxlookup lookup=PROVIDER_LOOKUP | eval myDate=strptime(BOOKED_DATE, "%Y-%m-%d")
| where myDate>=strptime("$time_input.latest$", "%Y-%m-%d") AND myDate<=strptime("$time_input.latest$", "%Y-%m-%d") | chart count(VISIT_TYPE_CID) over APPT_DATE by VISIT_TYPE_NAME

Note: Getting long integers when trying to retrieve "time_input" from UI.

Thanks.

Tags (2)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If you're seeing long integers then you're seeing epoch timestamps. You don't need to put them through strptime(), they already have the unit/format strptime() would return. You can compare them to myDate directly.

Side note, you're using $time_input.latest$ twice. You probably want $time_input.earliest$ for the first comparison.

0 Karma

sureshkrovi
Explorer

Thanks martin for the response,I tweaked the query to use strpttime() and strftime() in right places.It's working good.Here is the final query used.
index="booking_history" | dbxlookup lookup=PROVIDER_LOOKUP |eval earlyDate=strftime("$time_range.earliest$", "%Y-%m-%d")| eval latestDate=strftime("$time_range.latest$", "%Y-%m-%d")| eval apptDate=strptime(APPT_DATE, "%Y-%m-%d %H:%M:%S")|eval apptDate1=strftime(apptDate, "%Y-%m-%d")|where apptDate1>=earlyDate AND apptDate1<=latestDate |table APPT_DATE VISIT_TYPE_CID VISIT_TYPE_NAME earlyDate latestDate apptDate1 | chart count(VISIT_TYPE_CID) over apptDate1 by VISIT_TYPE_NAME

0 Karma
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...