I have several input types in my dashboard for which I have allotted different tokens. Now I have a requirement where I need a dropdown to be populated by the timezones supported by Splunk( The ones displayed after adjusting the user settings at Settings-> Access controls -> User-> User Name -> Edit account -> Time zone). I found a query to get the current timezone in which the user is working on using the query "| stats count | eval zone = strftime(now(), "%Z")". But I need ** separate search queries for all other timezones from the settings** as well. This would be much helpful or at least individual queries to get the IST, EST(ET), PST, GMT timezones in the dropdown input would be sufficient bare-minimally. Thank you.
Like this:
| rest/servicesNS/-/search/data/ui/manager splunk_server=local
| regex eai:data="Time zone"
| head 1
| rename eai:data AS _raw
| table _raw
| rex mode=sed "s/(?ms)^.*Default System Timezone --\"\/>[\s\r\n]+(.*?)<\/options>.*$/\1/"
| eval raw=split(_raw, "<opt value=")
| mvexpand raw
| rex field=raw "^\"(?<value>[^\"]+)\"\s+label=\"(?<label>[^\"]+)\""
| fields - _raw raw
| search label="*" AND value="*"
Like this:
| rest/servicesNS/-/search/data/ui/manager splunk_server=local
| regex eai:data="Time zone"
| head 1
| rename eai:data AS _raw
| table _raw
| rex mode=sed "s/(?ms)^.*Default System Timezone --\"\/>[\s\r\n]+(.*?)<\/options>.*$/\1/"
| eval raw=split(_raw, "<opt value=")
| mvexpand raw
| rex field=raw "^\"(?<value>[^\"]+)\"\s+label=\"(?<label>[^\"]+)\""
| fields - _raw raw
| search label="*" AND value="*"
Thanks for your answer, @woodcock! This seems to work fine in a normal ad-hoc search. But when I use this search query for my dropdown, the entire value fields seem to be converted like a string and as a result, I get only one value as a whole, whereas I need every label and value to be dynamic and get populated one by one. Also is it possible to change/manipulate the timestamp field(including offset) setting of the virtual index upon selecting a timezone from this dropdown I'm gonna create?
I forgot that mvexpand
does not work on _raw
. See my updated answer.
Awesome @woodcock! This query will do! Thank you:)
Very nice @woodcock
The nice thing about this that you can pass both the label
and the value
directly to the fieldset
and recreate the exact same presentation as exists in the source dashboard.
According to this page (http://dev.splunk.com/view/java-sdk/SP-CAAAEJ7) all of the options are found here: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones.
I don't think you can easily generate that list in an ad-hoc search without using a lookup table / KV Store. Since that data is static, creating a lookup search based on the wikipedia page is probably the better option.
Thanks rjthibod for your answer. The thing is, I can even set the timezone values statically with a label and a value. But in my case, I will be needing to append another input type button's ad-hoc search/searchmanager with the timezone's search query upon changing this dropdown value onvaluechange by assigning a token value.
Syntax: ** | "mysearch" |"Token onvaluechange of dropdown input"|"rest of my search" **
For eg.
** "mysearch"| stats count | eval zone = strftime(now(), "%Z") |"rest of my search" **
^ by doing something similar to the above search, I need to change the timestamp field data accordingly after getting retrieved from cassandra DB. That is why I need a search query for ET,PST,GMT and IST at least ,so that the timestamp value retrieved gets manipulated accordingly.