Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use relative dates based on now in a form's time picker?

twinspop
Influencer
‎09-19-2014 07:11 AM

The time picker field will use now as the latest time for many of the choices. I'm trying to create a week over week chart. The user selects "Last 4 hours", for example, and I create a chart with the last 4 hours plus the same 4 hours a week ago. I use $timepicker.earliest$-1w and $timepicker.latest$-1w for the previous week's numbers. However, now-1w coughs up an error.

Is there a way to make this work? Seems like an oversight since (all? most?) of the other relative time indicators work with the time arithmetic. Why is now treated differently?

Thanks!

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-19-2014 07:21 AM

You can work around that without having to rely on relative values from the timepicker at all - your approach breaks if someone selects a specific date and time, for example.

Here's a rough draft:

  base search earliest=$timepicker.earliest$ latest=$timepicker.latest$ | reporting stuff
| append [search base search
    [search index=* earliest=$timepicker.earliest$ latest=$timepicker.latest$ | head 1 | addinfo | eval earliest = relative_time(info_min_time, "-1w") | fields earliest]
    [search index=* earliest=$timepicker.earliest$ latest=$timepicker.latest$ | head 1 | addinfo | eval latest = relative_time(info_max_time, "-1w") | fields latest]
  | reporting stuff]

The two sub-subsearches load a dummy event, add the time range used as epoch values, do the subtraction of a week, and return the earliest and latest to the outer subsearch that then does the week-ago-search.
Adapt the things around the sub-subsearches to match whatever you're actually doing. Didn't test this, but it should work for everything you can select in the time range picker, including fixed dates or even all time - won't make sense for all time, but it won't throw up errors 😄

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-19-2014 07:21 AM

You can work around that without having to rely on relative values from the timepicker at all - your approach breaks if someone selects a specific date and time, for example.

Here's a rough draft:

  base search earliest=$timepicker.earliest$ latest=$timepicker.latest$ | reporting stuff
| append [search base search
    [search index=* earliest=$timepicker.earliest$ latest=$timepicker.latest$ | head 1 | addinfo | eval earliest = relative_time(info_min_time, "-1w") | fields earliest]
    [search index=* earliest=$timepicker.earliest$ latest=$timepicker.latest$ | head 1 | addinfo | eval latest = relative_time(info_max_time, "-1w") | fields latest]
  | reporting stuff]

The two sub-subsearches load a dummy event, add the time range used as epoch values, do the subtraction of a week, and return the earliest and latest to the outer subsearch that then does the week-ago-search.
Adapt the things around the sub-subsearches to match whatever you're actually doing. Didn't test this, but it should work for everything you can select in the time range picker, including fixed dates or even all time - won't make sense for all time, but it won't throw up errors 😄

Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
Top