Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to dynamically change the span parameter in bucket without using drop down options.

karthikeyan_k14
New Member
‎08-14-2017 05:53 AM

I have a search like this:

index=* source=*|....| bucket Time span=(1d/1h/5m)...| 
if I select last one month from time picker, span would auto change as 1d ..bucket Time span=1d in query
if I select last one day from time picker, span would auto change as 1h ..bucket Time span=1h in query.
if I select last one hour from time picker, span would auto change as 5m ..bucket Time span=5m in query.

A condition is that I can't use drop down for span....but timepicker for selecting for date and time.

can anyone help me on this query

Tags (3)
0 Karma
Reply

sbbadri
Motivator
‎08-14-2017 07:32 AM

<form>
<label>testspandynamicchange</label>
<fieldset submitButton="true" autoRun="true">
<input type="time" token="time_tok" searchWhenChanged="false">
<label>select a time range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
<change>
<condition match="relative_time(now(), $time_tok.latest$) - relative_time(now(), $time_tok.earliest$) >= 86400">
<set token="stok">1h</set>
</condition>
<condition match="relative_time(now(), $time_tok.latest$) - relative_time(now(), $time_tok.earliest$) >= 3600">
<set token="stok">5m</set>
</condition>
<condition match="relative_time(now(), $time_tok.latest$) - relative_time(now(), $time_tok.earliest$) >= 2629743">
<set token="stok">1d</set>
</condition>
</change>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=_internal sourcetype=splunkd group=pipeline | timechart span=$stok$ count by group</query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>
</table>
</panel>
</row>
</form>

Reply

DalJeanis
Legend
‎08-14-2017 08:44 PM

@sbbadri - Order of the first two is reversed. You need to test 3600 before you test 86400.

Reply

niketn
Legend
‎08-14-2017 08:58 AM

@karthikeyan_k14, just FYI, if you use timechart first two should default span to what your are looking. Only for the third one it will be 1m by default not 5m.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...