Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Time Picker issue with Save Report Reference

mbasharat
Builder
‎08-01-2020 10:06 AM

Hi,

 

I have a complicated dashboard that is based off of scheduled saved report. All menus and panels are fed off of one report. This report already has _time field. I am loking back max 30 days of data and this reflects in my adjustment in time picker as well. I want to be able to use timepicker in dashboard when I filter for various times. When I use saved search and token in below code, all works fine. But when I use saved search a a reference, tme picker does not work. What am I missing. Thanks in advance!!

<form theme="light">

  <search ref="TEST_au1_1" id="Main_Search">

    <earliest>$timerange.earliest$</earliest>

    <latest>$timerange.latest$</latest>

  </search>

  <label>TEST AU 1</label>

  <fieldset autoRun="true" submitButton="true">

    <input type="time" token="timerange" searchWhenChanged="false">

      <label>Time Range</label>

      <default>

        <earliest>-24h@h</earliest>

        <latest>now</latest>

      </default>

    </input>

    <input type="dropdown" token="servertype" searchWhenChanged="false">

      <label>Server Type</label>

      <initialValue>TEST</initialValue>

      <fieldForLabel>Server_Type</fieldForLabel>

      <fieldForValue>Server_Type</fieldForValue>

      <search base="Main_Search">

        <query>| stats dc(Server_Type) AS count By Server_Type</query>

      </search>

      <default>TEST</default>

    </input>

    <input type="dropdown" token="accttype" searchWhenChanged="false">

      <label>Account Type</label>

      <choice value="*">All</choice>

      <initialValue>*</initialValue>

      <fieldForLabel>UserType</fieldForLabel>

      <fieldForValue>UserType</fieldForValue>

      <search base="Main_Search">

        <query>| search Server_Type="$servertype$"

| stats dc(UserType) AS count By UserType</query>

      </search>

      <default>*</default>

    </input>

    <input type="dropdown" token="user" searchWhenChanged="false">

      <label>User Filter:</label>

      <choice value="*">All</choice>

      <default>*</default>

      <initialValue>*</initialValue>

      <search base="Main_Search">

        <query>| search Server_Type="$servertype$" AND UserType="$accttype$"

 

| stats dc(User) as count BY User

| fields User</query>

      </search>

      <fieldForLabel>User</fieldForLabel>

      <fieldForValue>User</fieldForValue>

    </input>

    <input type="dropdown" token="priority" searchWhenChanged="false">

      <label>Priority Filter</label>

      <choice value="*">All</choice>

      <default>*</default>

      <initialValue>*</initialValue>

      <search base="Main_Search">

        <query>| search Server_Type="$servertype$" AND UserType="$accttype$" AND User="$user$"

 

| stats dc(Priority) as count by Priority

| fields Priority

| sort order</query>

      </search>

      <fieldForLabel>Priority</fieldForLabel>

      <fieldForValue>Priority</fieldForValue>

    </input>

    <input type="dropdown" token="results" searchWhenChanged="false">

      <label>Results</label>

      <default>*</default>

      <initialValue>*</initialValue>

      <fieldForLabel>Result</fieldForLabel>

      <fieldForValue>Result</fieldForValue>

      <search base="Main_Search">

        <query>| search Server_Type="$servertype$" AND UserType="$accttype$" AND User="$user$" AND Priority="$priority$"

 

| stats dc(Result) as count by Result

| fields Result</query>

      </search>

      <choice value="*">All</choice>

    </input>

  </fieldset>

  <row depends="$hide$">

    <panel>

      <title>This panel is for hiding unnccessary time ranges since we are using max 30 Days of data as per requirements. DO NOT Delete this panel.</title>

      <html>

        <p>

         <style>

           div[data-test="other-column"],

           div[data-test="real-time-column"],

           button[data-test^='Previous business week'],

           button[data-test^='Business week to date'],

           button[data-test^='Year to date'],

           button[data-test^='Previous week'],

           button[data-test^='Previous month'],

           button[data-test^='Previous year'],

           button[data-test^='Yesterday'],

           div[data-test-panel-id^='real'],

           div[data-test-panel-id^='relative'],

           div[data-test-panel-id^='dateTime'],

           div[data-test-panel-id^='date'],

           div[data-test-panel-id^='advanced']

           {

           display:none !important;

           }

         </style>

        </p>

       </html>

    </panel>

  </row>

  <row>

    <panel>

      <title>Events Timechart</title>

      <chart>

        <search base="Main_Search">

          <query>| search UserType="$accttype$" AND User="$user$" AND Priority="$priority$" AND Result="$results$"

 

| timechart count</query>

        </search>

        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

        <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>

        <option name="charting.axisTitleX.visibility">collapsed</option>

        <option name="charting.axisTitleY.visibility">collapsed</option>

        <option name="charting.axisY.scale">linear</option>

        <option name="charting.axisY2.enabled">0</option>

        <option name="charting.chart">line</option>

        <option name="charting.chart.nullValueMode">gaps</option>

        <option name="charting.chart.resultTruncationLimit">1000000</option>

        <option name="charting.chart.showDataLabels">all</option>

        <option name="charting.chart.stackMode">default</option>

       <option name="charting.drilldown">none</option>

        <option name="charting.layout.splitSeries">0</option>

        <option name="charting.legend.labelStyle.overflowMode">ellipsisStart</option>

        <option name="charting.legend.placement">none</option>

        <option name="link.exportResults.visible">0</option>

        <option name="link.inspectSearch.visible">0</option>

        <option name="link.openPivot.visible">0</option>

        <option name="link.openSearch.visible">0</option>

        <option name="refresh.display">progressbar</option>

        <option name="refresh.link.visible">0</option>

      </chart>

    </panel>

  </row>

</form>
Labels (1)
Labels
0 Karma
Reply

esalesap
Path Finder
‎05-12-2021 09:20 AM

This worked for me.  My time picker input "token" value is "field3".

Change:

<search ref="my report"></search>

to:

<search ref="my report">
  <earliest>$field3.earliest$</earliest>
  <latest>$field3.latest$</latest>
</search>

 

 

0 Karma
Reply

Manyl
Loves-to-Learn Lots
‎10-30-2020 09:52 AM

Hello @mbasharat,

I've found a workaround by using the "where" command before a panel subsearch.

Example in your case :

...
    <panel>
      <title>Events Timechart</title>
      <chart>
        <search base="Main_Search">
          <query>where _time>=$timerange.earliest$ AND _time<=$timerange.latest$
| search UserType="$accttype$" AND User="$user$" AND Priority="$priority$" AND Result="$results$"
| timechart count</query>
        </search>
...

 Try to add in you query : "where _time>=$timerange.earliest$ AND _time<=$timerange.latest$"

Unfortunately, for timelines per example, I noticed that the display do not automatically scale the panel to the dashboard time range but the data that appears does match it.

Regards,
Manyl

0 Karma
Reply

Manyl
Loves-to-Learn Lots
‎10-26-2020 07:10 AM

Hello @mbasharat,

I am experiencing the same issue.
Even if I set a time range shorter than the one set in the report, the panel does not take it in consideration.
Did you find another way to make it work ?

I hope someone could answer to help us.

Regards,

Manyl 

0 Karma
Reply

phamryder
Observer
‎03-31-2021 10:06 AM

1. create a background search in order to convert timepicker into epoch time and create token values for new convereted fields.

</search>
<search>
<query>|makeresults</query>
<earliest>$period_token2.earliest$</earliest>
<latest>$period_token2.latest$</latest>
<progress>
<eval token="toearliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
<eval token="tolatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
<set token="jobearliest">$job.earliestTime$</set>
<set token="joblatest">$job.latestTime$</set>
</progress>
</search>


Then, add this logic into your panels 

| eval earliest = $toearliest$
| eval latest =if($tolatest$ <= 0, now(),$tolatest$)
| eval datefield=_time
| where datefield >= earliest AND datefield <= latest


if you want, you can also choose a different field other than _time. Just remember to convert that field into epoch time. 

 

Hope this helps!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...