Dashboards & Visualizations

eval Not working with time functions while evaluating the tokens

varun99
Path Finder

I have a panel which provides us a list of transactions along with the StartTime of the transactions. I want a drill down panel which searches for a specific transaction within the time range (StartTime - 5 minutes) to (StartTime + 1 hour).

Please note that the StartTime is a field listed in the first panel with the format. "YYYY/mm/dd HH:MM:SS.sss".

I tried eval the startTime and EndTime of the second panel in the tokens like below:

        <set token="JMS_ID">$row.JMSID$</set>
        <eval token="StartTime">strptime($row.StartTime$, "%Y/%m/%d %H:%M:%S.%3Q")-600</eval>
        <set token="show_transaction">true</set>
        <unset token="show_correlated"></unset>
        <eval token="EndTime">strptime($row.StartTime$, "%Y/%m/%d %H:%M:%S.%3Q")+3600</eval>

I am providing the input to the second panel as below:

      <earliest>$StartTime$</earliest>
      <latest>$EndTime$</latest>

But it's not working. The search is not even starting. It says "Search is waiting for input..."

0 Karma
1 Solution

varun99
Path Finder

It worked with the below:

        <set token="JMS_ID">$row.JMSID$</set>
        <set token="show_transaction">true</set>
        <unset token="show_correlated"></unset>
        <set token="StartTime">$row.StartTime$</set>
        <eval token="token_starttime">relative_time(strptime($StartTime$,"%Y/%m/%dT%H:%M:%S"),"-5m")</eval>
        <eval token="token_endtime">relative_time(strptime($StartTime$,"%Y/%m/%dT%H:%M:%S"),"+1h")</eval>

Set token first and then use that token in the eval command. I am using the below tokens in the drilldown panel.

token_starttime
token_endtime

Thanks all for your help.

View solution in original post

varun99
Path Finder

It worked with the below:

        <set token="JMS_ID">$row.JMSID$</set>
        <set token="show_transaction">true</set>
        <unset token="show_correlated"></unset>
        <set token="StartTime">$row.StartTime$</set>
        <eval token="token_starttime">relative_time(strptime($StartTime$,"%Y/%m/%dT%H:%M:%S"),"-5m")</eval>
        <eval token="token_endtime">relative_time(strptime($StartTime$,"%Y/%m/%dT%H:%M:%S"),"+1h")</eval>

Set token first and then use that token in the eval command. I am using the below tokens in the drilldown panel.

token_starttime
token_endtime

Thanks all for your help.

DalJeanis
Legend

Try this as your calculation -

tonumber(strptime($row.StartTime$, "%Y/%m/%d %H:%M:%S.%3Q")) - 600
0 Karma

elliotproebstel
Champion

Are you intentionally using $row.StartTime$ for both Start and End time? In your XML, you appear to be using that for both, with no modification (beyond parsing with strptime).

0 Karma

varun99
Path Finder

Thanks for your reply.

The condition is fine as it is the ELSE part. Similar eval statements are there in the conditional part as well. I have updated the question to remove the condition statement as it may confuse other people.

And yes I am intentional using $row.StartTime$ for both Start and EndTime. Modification that have to be there are added in the questions above.

0 Karma

elliotproebstel
Champion

Hmm, in that case, can you share the query you're using in the drilldown panel? Does it use a token that might not be getting set?

0 Karma

elliotproebstel
Champion

Also - you have put all of that inside a <condition> element with no actual condition defined. I think that's likely your biggest problem. You need to either define a triggering condition or just wrap that in a drilldown with no condition.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...