Getting Data In

How to set earliest and latest for the time range in a dashboard from the earliest and latest event timestamps?

bowesmana
SplunkTrust
SplunkTrust

I've read through a number of answers, but none quite gives what I want.

I have daily tests that run and my dashboard has a time picker, which is used to limit a number of cascading populating searches. These populating searches allow the user to choose a particular test date/series/name/run within the time picker range.

However, I then want the time range of the earliest and latest events found in the events that match the test to be used for all subsequent inline searches in the dashboard. Problem I have at the moment is that if I do month-to-date then pick yesterday's test, the timecharts will use an automatic span for the results, so I only get a single chart point for the entire test and cannot use a fine grained span due to the range in effect.

I think I need to create some kind of search that will then set tokens for the earliest/latest which can then be used in the search, but just can't work out how.

0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Thanks for the comment - I was looking more on how to get the first/last event date and then override the time picker date with those dates for the timecharts. I actually found that you can use fixedrange=false on timechart and that will restrict the X-axis to the time found in the events rather than the time in the picker, which is perfect for what I was trying to achieve.

View solution in original post

woodcock
Esteemed Legend
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Thanks for the comment - I was looking more on how to get the first/last event date and then override the time picker date with those dates for the timecharts. I actually found that you can use fixedrange=false on timechart and that will restrict the X-axis to the time found in the events rather than the time in the picker, which is perfect for what I was trying to achieve.

marina_rovira
Contributor

Sorry, I misunderstood the question then, I'm glad you've found a solution! 🙂

0 Karma

marina_rovira
Contributor

Hi, I have a search using the tokens, but it's with Id, so, maybe it will help you anyway.

This is my XML source:

For the dropdown input to choose which id I want:

  <fieldset autoRun="true" submitButton="false">
    <input type="dropdown" token="id" searchWhenChanged="true">
      <label>Select an ID</label>
      <search>
        <query>| inputlookup csv_file | fields Id</query>
      </search>
      <fieldForLabel>Id</fieldForLabel>
      <fieldForValue>Id</fieldForValue>
      <default>6</default>
    </input>

And then this is the part from the search to use this token:

    <panel>
          <table>
            <title>User table - 1 user</title>
            <search>
              <query>| inputlookup csv_file | search Id=$id$</query>
              <earliest>0</earliest>
              <latest></latest>
            </search>
            <option name="wrap">undefined</option>
            <option name="rowNumbers">undefined</option>
            <option name="drilldown">row</option>
          </table>
        </panel>

I think for you, it will be something like that, just a token called $earlier$ and another $last$ and linked with the dropdown this way.

I don't know if this can help you, just let me know and I will help you to look for the right answer!
Regards

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...