Getting Data In

Apply offset to earliest and latest time epoch values for a search in dashboard.

waltz
Explorer

I have a radio button group input in my dashboard like this:

    var input10 = new RadioGroupInput({
   "id": "input10",
        "choices": 
            [
            {"label": "GMT-0100", "value": "one"},
            {"label": "GMT-0200", "value": "two"}
            ],
        "selectFirstChoice": false,
        "searchWhenChanged": true,
        "value": "$tok_interval$",
        "el": $('#input10')
    }, {tokens: true}).render();
    input10.on("change", function(newValue) {
        FormUtils.handleValueChange(input10);
    });
    input10.on("valueChange", function(e) 
        {
        if (EventHandler.evaluateCondition("match(value, \"one\")", e.data)) {
        EventHandler.setToken("tzadjust", "| eval _time=_time -3600", {}, e.data);
        }
        if (EventHandler.evaluateCondition("match(value, \"one\")", e.data)) 
        {
        EventHandler.setToken("tzadjust", "| eval _time=_time -7200", {}, e.data);
        }
        });

And I perform a search for a panel in my dashboard like this:

    var search23 = new SearchManager({
        "id": "search23",
        "cancelOnUnload": true,
        "search": "index=$Vindx$| eval attempts=metrics| **timechart span=$tok_interval$** sum(attempts) as Attempts , $query$ **$tzadjust$** | fields _time,Attempts,sum(metrics) ",    // **$tzadjust$** value is set to **|eval _time=_time -3600** during search.
    **"latest_time": "$tok_time.latest$",**  // Tried changing this to "latest_time": "$tok_time.latest$-3600",
        "status_buckets": 0,
        **"earliest_time": "$tok_time.earliest$",** // Tried changing this to "earliest_time": "$tok_time.earliest$-3600",
        "sample_ratio": null,
        "app": utils.getCurrentApp(),
        "auto_cancel": 90,
        "preview": true,
        "runWhenTimeIsUndefined": false,
        "cache": true
    }, {tokens: true, tokenNamespace: "submitted"});

Let me present you the scenario I'm facing: Now for eg, I have data between 10pm to 11pm in the GMT Timezone. And, My timezone is set to GMT in splunk settings. If I search for a range between 10 pm to 11 pm using the timerangepicker input, data between 10 pm to 11 pm range is shown. Now, I have another radio button input in my dashboard GMT-0100. Upon choosing GMT-0100 timezone from this input in my dashboard, I'm adding | eval _time = _time - 3600 to the search which would mean now the _time field(i.e data) is shifted between 9 pm and 10 pm. Now, I have selected the radio button input GMT-0100 and if I select the time range 9 pm to 10 pm in the timerangepicker, I'm getting "no results found". Wheareas if I select 10 pm to 11 pm in the timerangepicker again, I'm getting the data, but now it displays data between 9pm to 10pm, whereas if I had not not applied -3600 offset, it would have showed the data to be between 10 pm and 11 pm. This discrepancy maybe confusing to the user since he chose a different time range. Which tokens should I modify if I've chosen GMT-0100 from my radiobutton input and select 9 pm to 10pm timerange to display data correctly between this range and for this timezone?

0 Karma

woodcock
Esteemed Legend

I still do not get what you are trying to do and suspect that there is probably a better way to do whatever is motivating you to this approach. Even so, I believe that this search will give you the tools that you need to implement your thing:

| makeresults
| eval userTZsetting=strftime(_time, "%Z")
| eval userTZminutes = round((strptime(strftime(_time, "%Y%m%d%H%M%S") . " GMT", "%Y%m%d%H%M%S %Z") - _time)/60,0)
0 Karma

woodcock
Esteemed Legend

Why are you not just telling your users to "Be sure to set your personal TZ preference by going to <Your User Name> -> Account Settings -> Time zone (in the Global section)"?

0 Karma

waltz
Explorer

We would be disabling the splunk settings for some users and instead allow them to choose certain settings from the dashboard instead. That's why 🙂

0 Karma

woodcock
Esteemed Legend

Your use case makes no sense to me. Why are you having your data lie to users when you click a radio button? I completely do not get it. Whenever I "don't get it", my brain is not effective at crafting answers.

0 Karma

waltz
Explorer

Ok I'll rephrase my question for you. If the user is in GMT TZ and has to view an event occurring at GMT-01:00 TZ or any other TZ whatsoever, he has to view it by choosing the timezone from the dashboard itself.

Also my question is somewhat related this one: https://answers.splunk.com/answers/120279/latest-earliest-timeformat-using-another-timezone-other-th....

But I'm unable to use the answer provided for the above question.

0 Karma

woodcock
Esteemed Legend

Your code formatting is so poor that it is all broken up and unreadable. You should go back and edit your question and make sure that your code is properly indented and preceded by 4-spaces ( markdown ) so that it shows as a contiguous code block.

0 Karma

waltz
Explorer

Sure @woodcock. I believe it is in a more readable format now. Thanks 🙂

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...