Solved: How to set earliest and latest for the time range ...

bowesmana · ‎02-24-2016

I've read through a number of answers, but none quite gives what I want.

I have daily tests that run and my dashboard has a time picker, which is used to limit a number of cascading populating searches. These populating searches allow the user to choose a particular test date/series/name/run within the time picker range.

However, I then want the time range of the earliest and latest events found in the events that match the test to be used for all subsequent inline searches in the dashboard. Problem I have at the moment is that if I do month-to-date then pick yesterday's test, the timecharts will use an automatic span for the results, so I only get a single chart point for the entire test and cannot use a fine grained span due to the range in effect.

I think I need to create some kind of search that will then set tokens for the earliest/latest which can then be used in the search, but just can't work out how.

bowesmana · ‎02-26-2016

Thanks for the comment - I was looking more on how to get the first/last event date and then override the time picker date with those dates for the timecharts. I actually found that you can use fixedrange=false on timechart and that will restrict the X-axis to the time found in the events rather than the time in the picker, which is perfect for what I was trying to achieve.

View solution in original post

woodcock · ‎02-26-2016

For auto-adjusting span, you can look here:

https://answers.splunk.com/answers/318526/how-do-i-get-the-time-span-spanx-in-a-search-to-au.html#an...

bowesmana · ‎02-26-2016

Thanks for the comment - I was looking more on how to get the first/last event date and then override the time picker date with those dates for the timecharts. I actually found that you can use fixedrange=false on timechart and that will restrict the X-axis to the time found in the events rather than the time in the picker, which is perfect for what I was trying to achieve.

marina_rovira · ‎02-29-2016

Sorry, I misunderstood the question then, I'm glad you've found a solution! 🙂

marina_rovira · ‎02-25-2016

Hi, I have a search using the tokens, but it's with Id, so, maybe it will help you anyway.

This is my XML source:

For the dropdown input to choose which id I want:

  <fieldset autoRun="true" submitButton="false">
    <input type="dropdown" token="id" searchWhenChanged="true">
      <label>Select an ID</label>
      <search>
        <query>| inputlookup csv_file | fields Id</query>
      </search>
      <fieldForLabel>Id</fieldForLabel>
      <fieldForValue>Id</fieldForValue>
      <default>6</default>
    </input>

And then this is the part from the search to use this token:

    <panel>
          <table>
            <title>User table - 1 user</title>
            <search>
              <query>| inputlookup csv_file | search Id=$id$</query>
              <earliest>0</earliest>
              <latest></latest>
            </search>
            <option name="wrap">undefined</option>
            <option name="rowNumbers">undefined</option>
            <option name="drilldown">row</option>
          </table>
        </panel>

I think for you, it will be something like that, just a token called $earlier$ and another $last$ and linked with the dropdown this way.

I don't know if this can help you, just let me know and I will help you to look for the right answer!
Regards

How to set earliest and latest for the time range in a dashboard from the earliest and latest event timestamps?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life