- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: How to dynamically change the span parameter i...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to dynamically change the span parameter in bucket without using drop down options.
I have a search like this:
index=* source=*|....| bucket Time span=(1d/1h/5m)...|
if I select last one month from time picker, span would auto change as 1d ..bucket Time span=1d in query
if I select last one day from time picker, span would auto change as 1h ..bucket Time span=1h in query.
if I select last one hour from time picker, span would auto change as 5m ..bucket Time span=5m in query.
A condition is that I can't use drop down for span....but timepicker for selecting for date and time.
can anyone help me on this query
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
<form>
<label>testspandynamicchange</label>
<fieldset submitButton="true" autoRun="true">
<input type="time" token="time_tok" searchWhenChanged="false">
<label>select a time range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
<change>
<condition match="relative_time(now(), $time_tok.latest$) - relative_time(now(), $time_tok.earliest$) >= 86400">
<set token="stok">1h</set>
</condition>
<condition match="relative_time(now(), $time_tok.latest$) - relative_time(now(), $time_tok.earliest$) >= 3600">
<set token="stok">5m</set>
</condition>
<condition match="relative_time(now(), $time_tok.latest$) - relative_time(now(), $time_tok.earliest$) >= 2629743">
<set token="stok">1d</set>
</condition>
</change>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=_internal sourcetype=splunkd group=pipeline | timechart span=$stok$ count by group</query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>
</table>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sbbadri - Order of the first two is reversed. You need to test 3600 before you test 86400.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@karthikeyan_k14, just FYI, if you use timechart first two should default span to what your are looking. Only for the third one it will be 1m by default not 5m.
| makeresults | eval message= "Happy Splunking!!!"
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
Updated Team Landing Page in Splunk Observability
