Getting Data In

Splunk search query/queries for populating splunk supported timezones in dropdown type input.

Explorer

I have several input types in my dashboard for which I have allotted different tokens. Now I have a requirement where I need a dropdown to be populated by the timezones supported by Splunk( The ones displayed after adjusting the user settings at Settings-> Access controls -> User-> User Name -> Edit account -> Time zone). I found a query to get the current timezone in which the user is working on using the query "| stats count | eval zone = strftime(now(), "%Z")". But I need ** separate search queries for all other timezones from the settings** as well. This would be much helpful or at least individual queries to get the IST, EST(ET), PST, GMT timezones in the dropdown input would be sufficient bare-minimally. Thank you.

0 Karma
1 Solution

Esteemed Legend

Like this:

| rest/servicesNS/-/search/data/ui/manager splunk_server=local
| regex eai:data="Time zone" 
| head 1 
| rename eai:data AS _raw 
| table _raw 
| rex mode=sed "s/(?ms)^.*Default System Timezone --\"\/>[\s\r\n]+(.*?)<\/options>.*$/\1/" 
| eval raw=split(_raw, "<opt value=") 
| mvexpand raw 
| rex field=raw "^\"(?<value>[^\"]+)\"\s+label=\"(?<label>[^\"]+)\"" 
| fields - _raw raw
| search label="*" AND value="*"

View solution in original post

Esteemed Legend

Like this:

| rest/servicesNS/-/search/data/ui/manager splunk_server=local
| regex eai:data="Time zone" 
| head 1 
| rename eai:data AS _raw 
| table _raw 
| rex mode=sed "s/(?ms)^.*Default System Timezone --\"\/>[\s\r\n]+(.*?)<\/options>.*$/\1/" 
| eval raw=split(_raw, "<opt value=") 
| mvexpand raw 
| rex field=raw "^\"(?<value>[^\"]+)\"\s+label=\"(?<label>[^\"]+)\"" 
| fields - _raw raw
| search label="*" AND value="*"

View solution in original post

Explorer

Thanks for your answer, @woodcock! This seems to work fine in a normal ad-hoc search. But when I use this search query for my dropdown, the entire value fields seem to be converted like a string and as a result, I get only one value as a whole, whereas I need every label and value to be dynamic and get populated one by one. Also is it possible to change/manipulate the timestamp field(including offset) setting of the virtual index upon selecting a timezone from this dropdown I'm gonna create?

0 Karma

Esteemed Legend

I forgot that mvexpand does not work on _raw. See my updated answer.

0 Karma

Explorer

Awesome @woodcock! This query will do! Thank you:)

0 Karma

Champion

Very nice @woodcock

0 Karma

Esteemed Legend

The nice thing about this that you can pass both the label and the value directly to the fieldset and recreate the exact same presentation as exists in the source dashboard.

0 Karma

Champion

According to this page (http://dev.splunk.com/view/java-sdk/SP-CAAAEJ7) all of the options are found here: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones.

I don't think you can easily generate that list in an ad-hoc search without using a lookup table / KV Store. Since that data is static, creating a lookup search based on the wikipedia page is probably the better option.

0 Karma

Explorer

Thanks rjthibod for your answer. The thing is, I can even set the timezone values statically with a label and a value. But in my case, I will be needing to append another input type button's ad-hoc search/searchmanager with the timezone's search query upon changing this dropdown value onvaluechange by assigning a token value.

Syntax: ** | "mysearch" |"Token onvaluechange of dropdown input"|"rest of my search" **
For eg.
** "mysearch"| stats count | eval zone = strftime(now(), "%Z") |"rest of my search" **

^ by doing something similar to the above search, I need to change the timestamp field data accordingly after getting retrieved from cassandra DB. That is why I need a search query for ET,PST,GMT and IST at least ,so that the timestamp value retrieved gets manipulated accordingly.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!