Dashboards & Visualizations

time picker tokens in epoch time

Contributor

I have a requirement to display in a dashboard the time range in use by the time picker. This has to be a single value in a specific format. To accomplish this I've been using the strftime function, which requires that I have tokens in epoch time from the dashboard.

To accomplish this I've been using @rjthibod solution from https://answers.splunk.com/answers/590512/use-timepicker-earliest-and-latest-as-epoch-time.html. This uses the relative_time function within the input to conditionally convert the time picker tokens into epoch time if they aren't already. But today I am seeing strange behavior from some time ranges, specifically "Previous Business Week".

Everything works fine for time ranges like "Previous Month", but when I change the time picker to "Previous Business Week" I get an ending epoch time from the time picker that is in the future. This isn't the result that I get when I use the relative_time function in an eval statement in a regular search, as displayed in the table below the single-value panel.

Sorry for the long xml, but I think this shows all of the different tokens and evals in play.

Run-anywhere example:

<form>
  <label>time picker epoch issue</label>
  <description></description>
  <fieldset submitButton="false">
    <input type="time" token="timepicker">
      <label>Select Time Range</label>
      <default>
        <earliest>-1mon@mon</earliest>
        <latest>@mon</latest>
      </default>
      <change>
        <eval token="timepicker.earliest_epoch">if(isnum('earliest'),'earliest',relative_time(now(),'earliest')</eval>
        <eval token="timepicker.latest_epoch">if(isnum('latest'),'latest',relative_time(now(),'latest')</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>$timepicker.earliest_epoch$ through $timepicker.latest_epoch$ OR $timepicker.earliest$ through $timepicker.latest$</title>
      <single>
        <search>
          <query>| makeresults 
| eval earliest = strftime("$timepicker.earliest_epoch$", "%d %b %Y") 
| eval latest = strftime("$timepicker.latest_epoch$", "%d %b %Y")
| eval display = earliest." - ".latest
| table display</query>
        </search>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults
          |eval 'timepicker.earliest'="$timepicker.earliest$"
          |eval 'timepicker.latest'="$timepicker.latest$"
          |eval 'timepicker.earliest_epoch'="$timepicker.earliest_epoch$"
          |eval 'timepicker.latest_epoch'="$timepicker.latest_epoch$"
| eval earliest_from_rel_time = relative_time(now(), "$timepicker.earliest$")
| eval latest_from_rel_time = relative_time(now(), "$timepicker.latest$")
| eval pretty_latest_from_rel_time = strftime(latest_from_rel_time, "%d %b %Y")
| eval earliest_from_epoch = strftime("$timepicker.earliest_epoch$", "%d %b %Y") 
| eval latest_from_epoch = strftime("$timepicker.latest_epoch$", "%d %b %Y")
| table 'timepicker.earliest' 'timepicker.latest' 'timepicker.earliest_epoch' 'timepicker.latest_epoch' earliest_from_rel_time latest_from_rel_time pretty_latest_from_rel_time earliest_from_epoch latest_from_epoch</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <html>
          |eval 'timepicker.earliest'="$$timepicker.earliest$$"&lt;br/&gt;
          |eval 'timepicker.latest'="$$timepicker.latest$$"&lt;br/&gt;
          |eval 'timepicker.earliest_epoch'="$$timepicker.earliest_epoch$$"&lt;br/&gt;
          |eval 'timepicker.latest_epoch'="$$timepicker.latest_epoch$$"&lt;br/&gt;
          | eval earliest_from_rel_time = relative_time(now(), "$$timepicker.earliest$$")&lt;br/&gt;
  | eval latest_from_rel_time = relative_time(now(), "$$timepicker.latest$$")&lt;br/&gt;
  | eval pretty_latest_from_rel_time = strftime(latest_from_rel_time, "%d %b %Y")&lt;br/&gt;
  | eval earliest_from_epoch = strftime("$$timepicker.earliest_epoch$$", "%d %b %Y") &lt;br/&gt;
  | eval latest_from_epoch = strftime("$$timepicker.latest_epoch$$", "%d %b %Y")
  </html>
    </panel>
  </row>
</form>
Tags (3)
0 Karma

Motivator

Looks to me like it's just a bug with how Splunk determines epoch time for that format (-1d@w6). You're not doing any calculations to 'timepicker.latest_epoch' after the line |eval 'timepicker.latest_epoch'="$timepicker.latest_epoch$", and when you copy and paste the value of 'timepicker.latest_epoch into an online converter, it's the same value in the future. This value does NOT match the epoch time that Splunk displays in the Advanced section of the time selector.

I also tested -1d@w2 through -1d@w6 . All have same issue except -1d@w1 (probably because it's Tuesday)

Side note: in your XML, you should find/replace &lt;br/&gt; into &lt;br/&gt; (edit: nevermind, it's just how Splunk answers seems to be modifying it)

edit: Thinking about this more... Shouldn't Previous Business Week be: -6d@w1 through -6d@w6? This doesn't work though because in the time picker, it says that the latest is before the earliest.

Cheers,
Jacob
0 Karma

Contributor

@niketnilay I tried your posted solution to the question that I referenced above, and it seems to solve this problem. But I'm curious as to why this doesn't also work. Any thoughts?

0 Karma