Deployment Architecture

how to pass dynamic value according to time picker in span

ektasiwani
Communicator

I want to give span in query according to the time range selected by user.
I tried something like this , but its giving error for bucket/span.
How can i pass variable in span?

 index="main" sourcetype=*** orig="*" product=****  | eval latest=[|gentimes start=-1 | addinfo | eval search=info_max_time | head 1 |table search] | eval earliest=[|gentimes start=-1 | addinfo | eval search=info_min_time | head 1 |table search] | eval time_span= round((latest-earliest)/3600,0)  | strcat time_span "h"  span_ryt | bucket _time span=span_ryt  | stats count by _time

i tried assigning value to span_ryt and passing same to span. but its not working.

Thnaks

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

You can't do that. Using a variable for a span argument is simply not possible. However, you can use a search macro!

Set up your macro like this:

[myBucket(1)]
args = span
definition = bucket _time span=$span$

And use it like this:

... | strcat time_span "h"  span_ryt | `myBucket(span_ryt)`  | stats count by _time

This will perform the search you defined, but replace the token with the string you created.

For more information on macros and macros.conf : http://www.splunk.com/base/Documentation/6.2.4/Admin/Macrosconf?r=splunky

0 Karma

ektasiwani
Communicator

i tried same thing.
still its giving below error:

Error in 'bucket' command: The value for option span (span_ryt) is invalid.

index="main" sourcetype="***" orig="*" product="***"  | eval latest=[|gentimes start=-1 | addinfo | eval search=info_max_time | head 1 |table search] | eval earliest=[|gentimes start=-1 | addinfo | eval search=info_min_time | head 1 |table search] | eval time_span= round((latest-earliest)/3600,0)  | strcat time_span "h"  span_ryt | `myBucket(span_ryt)`  | stats count by _time

I changed the macros file as u told and copied it in ../etc/apps/myapp/default/

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Try removing the strcat and using an eval.

eval span_ryt = time_span ."h"

Make sure that the field is shown in the interesting fields list with the correct value.

0 Karma

ektasiwani
Communicator

I tried this, its giving same error.
tried printing span_ryt and i am getting correct value.

when i am passing my query as

...|  eval span_ryt = time_span ."h"| `myBucket(72h)`| stats count by _time

I am getting desired output.

But when i am trying with this

.....| eval span_ryt=time_span . "h"| `myBucket(span_ryt)`  | stats count by _time

I am getting this error "Error in 'bucket' command: The value for option span (span_ryt) is invalid."

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!