Getting Data In

Splunk search query/queries for populating splunk supported timezones in dropdown type input.

waltz
Explorer

I have several input types in my dashboard for which I have allotted different tokens. Now I have a requirement where I need a dropdown to be populated by the timezones supported by Splunk( The ones displayed after adjusting the user settings at Settings-> Access controls -> User-> User Name -> Edit account -> Time zone). I found a query to get the current timezone in which the user is working on using the query "| stats count | eval zone = strftime(now(), "%Z")". But I need ** separate search queries for all other timezones from the settings** as well. This would be much helpful or at least individual queries to get the IST, EST(ET), PST, GMT timezones in the dropdown input would be sufficient bare-minimally. Thank you.

0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

| rest/servicesNS/-/search/data/ui/manager splunk_server=local
| regex eai:data="Time zone" 
| head 1 
| rename eai:data AS _raw 
| table _raw 
| rex mode=sed "s/(?ms)^.*Default System Timezone --\"\/>[\s\r\n]+(.*?)<\/options>.*$/\1/" 
| eval raw=split(_raw, "<opt value=") 
| mvexpand raw 
| rex field=raw "^\"(?<value>[^\"]+)\"\s+label=\"(?<label>[^\"]+)\"" 
| fields - _raw raw
| search label="*" AND value="*"

View solution in original post

woodcock
Esteemed Legend

Like this:

| rest/servicesNS/-/search/data/ui/manager splunk_server=local
| regex eai:data="Time zone" 
| head 1 
| rename eai:data AS _raw 
| table _raw 
| rex mode=sed "s/(?ms)^.*Default System Timezone --\"\/>[\s\r\n]+(.*?)<\/options>.*$/\1/" 
| eval raw=split(_raw, "<opt value=") 
| mvexpand raw 
| rex field=raw "^\"(?<value>[^\"]+)\"\s+label=\"(?<label>[^\"]+)\"" 
| fields - _raw raw
| search label="*" AND value="*"

waltz
Explorer

Thanks for your answer, @woodcock! This seems to work fine in a normal ad-hoc search. But when I use this search query for my dropdown, the entire value fields seem to be converted like a string and as a result, I get only one value as a whole, whereas I need every label and value to be dynamic and get populated one by one. Also is it possible to change/manipulate the timestamp field(including offset) setting of the virtual index upon selecting a timezone from this dropdown I'm gonna create?

0 Karma

woodcock
Esteemed Legend

I forgot that mvexpand does not work on _raw. See my updated answer.

0 Karma

waltz
Explorer

Awesome @woodcock! This query will do! Thank you:)

0 Karma

rjthibod
Champion

Very nice @woodcock

0 Karma

woodcock
Esteemed Legend

The nice thing about this that you can pass both the label and the value directly to the fieldset and recreate the exact same presentation as exists in the source dashboard.

0 Karma

rjthibod
Champion

According to this page (http://dev.splunk.com/view/java-sdk/SP-CAAAEJ7) all of the options are found here: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones.

I don't think you can easily generate that list in an ad-hoc search without using a lookup table / KV Store. Since that data is static, creating a lookup search based on the wikipedia page is probably the better option.

0 Karma

waltz
Explorer

Thanks rjthibod for your answer. The thing is, I can even set the timezone values statically with a label and a value. But in my case, I will be needing to append another input type button's ad-hoc search/searchmanager with the timezone's search query upon changing this dropdown value onvaluechange by assigning a token value.

Syntax: ** | "mysearch" |"Token onvaluechange of dropdown input"|"rest of my search" **
For eg.
** "mysearch"| stats count | eval zone = strftime(now(), "%Z") |"rest of my search" **

^ by doing something similar to the above search, I need to change the timestamp field data accordingly after getting retrieved from cassandra DB. That is why I need a search query for ET,PST,GMT and IST at least ,so that the timestamp value retrieved gets manipulated accordingly.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...