Dashboards & Visualizations

eval Not working with time functions while evaluating the tokens

varun99
Path Finder

I have a panel which provides us a list of transactions along with the StartTime of the transactions. I want a drill down panel which searches for a specific transaction within the time range (StartTime - 5 minutes) to (StartTime + 1 hour).

Please note that the StartTime is a field listed in the first panel with the format. "YYYY/mm/dd HH:MM:SS.sss".

I tried eval the startTime and EndTime of the second panel in the tokens like below:

        <set token="JMS_ID">$row.JMSID$</set>
        <eval token="StartTime">strptime($row.StartTime$, "%Y/%m/%d %H:%M:%S.%3Q")-600</eval>
        <set token="show_transaction">true</set>
        <unset token="show_correlated"></unset>
        <eval token="EndTime">strptime($row.StartTime$, "%Y/%m/%d %H:%M:%S.%3Q")+3600</eval>

I am providing the input to the second panel as below:

      <earliest>$StartTime$</earliest>
      <latest>$EndTime$</latest>

But it's not working. The search is not even starting. It says "Search is waiting for input..."

0 Karma
1 Solution

varun99
Path Finder

It worked with the below:

        <set token="JMS_ID">$row.JMSID$</set>
        <set token="show_transaction">true</set>
        <unset token="show_correlated"></unset>
        <set token="StartTime">$row.StartTime$</set>
        <eval token="token_starttime">relative_time(strptime($StartTime$,"%Y/%m/%dT%H:%M:%S"),"-5m")</eval>
        <eval token="token_endtime">relative_time(strptime($StartTime$,"%Y/%m/%dT%H:%M:%S"),"+1h")</eval>

Set token first and then use that token in the eval command. I am using the below tokens in the drilldown panel.

token_starttime
token_endtime

Thanks all for your help.

View solution in original post

varun99
Path Finder

It worked with the below:

        <set token="JMS_ID">$row.JMSID$</set>
        <set token="show_transaction">true</set>
        <unset token="show_correlated"></unset>
        <set token="StartTime">$row.StartTime$</set>
        <eval token="token_starttime">relative_time(strptime($StartTime$,"%Y/%m/%dT%H:%M:%S"),"-5m")</eval>
        <eval token="token_endtime">relative_time(strptime($StartTime$,"%Y/%m/%dT%H:%M:%S"),"+1h")</eval>

Set token first and then use that token in the eval command. I am using the below tokens in the drilldown panel.

token_starttime
token_endtime

Thanks all for your help.

DalJeanis
Legend

Try this as your calculation -

tonumber(strptime($row.StartTime$, "%Y/%m/%d %H:%M:%S.%3Q")) - 600
0 Karma

elliotproebstel
Champion

Are you intentionally using $row.StartTime$ for both Start and End time? In your XML, you appear to be using that for both, with no modification (beyond parsing with strptime).

0 Karma

varun99
Path Finder

Thanks for your reply.

The condition is fine as it is the ELSE part. Similar eval statements are there in the conditional part as well. I have updated the question to remove the condition statement as it may confuse other people.

And yes I am intentional using $row.StartTime$ for both Start and EndTime. Modification that have to be there are added in the questions above.

0 Karma

elliotproebstel
Champion

Hmm, in that case, can you share the query you're using in the drilldown panel? Does it use a token that might not be getting set?

0 Karma

elliotproebstel
Champion

Also - you have put all of that inside a <condition> element with no actual condition defined. I think that's likely your biggest problem. You need to either define a triggering condition or just wrap that in a drilldown with no condition.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...