Dashboards & Visualizations

how can I set a time range based on a time token

Path Finder

I have this query

index=summary source="summary_events_2" 
orig_source=*pnr*
ms_region=us-west-1
(ms_level=ERROR OR ms_level=error)
NOT event=no-event
| stats sum(count) as count by  event, ms_level,_time
|appendcols [|search earliest=-14d index=summary source="summary_events_2" 
              orig_source=*pnr*
             ms_region=$region$
             (ms_level=ERROR OR ms_level=error) 
             | stats sparkline(sum(count),1d) as trend_span_1d
                     sparkline(sum(count),7d) as trend_span_7d
                     by  event, ms_level]
| where count!=""

my problem is that I want to create a specific time range for sparkline. Keep in mind that I am using a drill down time token with this query. I have been searching for a way to return a range based on a time token, any ideas?
eg: starting at the $time_token$ and the past 14 days

0 Karma

Revered Legend

Assuming your time token is applied to the main search (before appendcols), give this a try

index=summary source="summary_events_2" 
 orig_source=*pnr*
 ms_region=us-west-1
 (ms_level=ERROR OR ms_level=error)
 NOT event=no-event
 | stats sum(count) as count by  event, ms_level,_time
 |appendcols [search [| gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-14d") | eval latest=info_min_time | table earliest latest ] index=summary source="summary_events_2" 
               orig_source=*pnr*
              ms_region=$region$
              (ms_level=ERROR OR ms_level=error) 
              | stats sparkline(sum(count),1d) as trend_span_1d
                      sparkline(sum(count),7d) as trend_span_7d
                      by  event, ms_level]
 | where count!=""
0 Karma

Path Finder

ye a this would work if applied the time token before the appendcols but unfortunately that is no the case. what I am trying to basically do is when user clicks on graph it will show the events in that specific point in time but I want the sparkline to show the trend of that event starting from 14 days before the "time_token".

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!