Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to dynamically change the span parameter in bucket without using drop down options.

karthikeyan_k14
New Member
‎08-14-2017 05:53 AM

I have a search like this:

index=* source=*|....| bucket Time span=(1d/1h/5m)...| 
if I select last one month from time picker, span would auto change as 1d ..bucket Time span=1d in query
if I select last one day from time picker, span would auto change as 1h ..bucket Time span=1h in query.
if I select last one hour from time picker, span would auto change as 5m ..bucket Time span=5m in query.

A condition is that I can't use drop down for span....but timepicker for selecting for date and time.

can anyone help me on this query

Tags (3)
0 Karma
Reply

sbbadri
Motivator
‎08-14-2017 07:32 AM

<form>
<label>testspandynamicchange</label>
<fieldset submitButton="true" autoRun="true">
<input type="time" token="time_tok" searchWhenChanged="false">
<label>select a time range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
<change>
<condition match="relative_time(now(), $time_tok.latest$) - relative_time(now(), $time_tok.earliest$) >= 86400">
<set token="stok">1h</set>
</condition>
<condition match="relative_time(now(), $time_tok.latest$) - relative_time(now(), $time_tok.earliest$) >= 3600">
<set token="stok">5m</set>
</condition>
<condition match="relative_time(now(), $time_tok.latest$) - relative_time(now(), $time_tok.earliest$) >= 2629743">
<set token="stok">1d</set>
</condition>
</change>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=_internal sourcetype=splunkd group=pipeline | timechart span=$stok$ count by group</query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>
</table>
</panel>
</row>
</form>

Reply

DalJeanis
SplunkTrust
SplunkTrust
‎08-14-2017 08:44 PM

@sbbadri - Order of the first two is reversed. You need to test 3600 before you test 86400.

Reply

niketn
Legend
‎08-14-2017 08:58 AM

@karthikeyan_k14, just FYI, if you use timechart first two should default span to what your are looking. Only for the third one it will be 1m by default not 5m.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...