Splunk Enterprise

Time Picker issue with Save Report Reference

mbasharat
Contributor

Hi,

 

I have a complicated dashboard that is based off of scheduled saved report. All menus and panels are fed off of one report. This report already has _time field. I am loking back max 30 days of data and this reflects in my adjustment in time picker as well. I want to be able to use timepicker in dashboard when I filter for various times. When I use saved search and token in below code, all works fine. But when I use saved search a a reference, tme picker does not work. What am I missing. Thanks in advance!!

<form theme="light">

  <search ref="TEST_au1_1" id="Main_Search">

    <earliest>$timerange.earliest$</earliest>

    <latest>$timerange.latest$</latest>

  </search>

  <label>TEST AU 1</label>

  <fieldset autoRun="true" submitButton="true">

    <input type="time" token="timerange" searchWhenChanged="false">

      <label>Time Range</label>

      <default>

        <earliest>-24h@h</earliest>

        <latest>now</latest>

      </default>

    </input>

    <input type="dropdown" token="servertype" searchWhenChanged="false">

      <label>Server Type</label>

      <initialValue>TEST</initialValue>

      <fieldForLabel>Server_Type</fieldForLabel>

      <fieldForValue>Server_Type</fieldForValue>

      <search base="Main_Search">

        <query>| stats dc(Server_Type) AS count By Server_Type</query>

      </search>

      <default>TEST</default>

    </input>

    <input type="dropdown" token="accttype" searchWhenChanged="false">

      <label>Account Type</label>

      <choice value="*">All</choice>

      <initialValue>*</initialValue>

      <fieldForLabel>UserType</fieldForLabel>

      <fieldForValue>UserType</fieldForValue>

      <search base="Main_Search">

        <query>| search Server_Type="$servertype$"

| stats dc(UserType) AS count By UserType</query>

      </search>

      <default>*</default>

    </input>

    <input type="dropdown" token="user" searchWhenChanged="false">

      <label>User Filter:</label>

      <choice value="*">All</choice>

      <default>*</default>

      <initialValue>*</initialValue>

      <search base="Main_Search">

        <query>| search Server_Type="$servertype$" AND UserType="$accttype$"

 

| stats dc(User) as count BY User

| fields User</query>

      </search>

      <fieldForLabel>User</fieldForLabel>

      <fieldForValue>User</fieldForValue>

    </input>

    <input type="dropdown" token="priority" searchWhenChanged="false">

      <label>Priority Filter</label>

      <choice value="*">All</choice>

      <default>*</default>

      <initialValue>*</initialValue>

      <search base="Main_Search">

        <query>| search Server_Type="$servertype$" AND UserType="$accttype$" AND User="$user$"

 

| stats dc(Priority) as count by Priority

| fields Priority

| sort order</query>

      </search>

      <fieldForLabel>Priority</fieldForLabel>

      <fieldForValue>Priority</fieldForValue>

    </input>

    <input type="dropdown" token="results" searchWhenChanged="false">

      <label>Results</label>

      <default>*</default>

      <initialValue>*</initialValue>

      <fieldForLabel>Result</fieldForLabel>

      <fieldForValue>Result</fieldForValue>

      <search base="Main_Search">

        <query>| search Server_Type="$servertype$" AND UserType="$accttype$" AND User="$user$" AND Priority="$priority$"

 

| stats dc(Result) as count by Result

| fields Result</query>

      </search>

      <choice value="*">All</choice>

    </input>

  </fieldset>

  <row depends="$hide$">

    <panel>

      <title>This panel is for hiding unnccessary time ranges since we are using max 30 Days of data as per requirements. DO NOT Delete this panel.</title>

      <html>

        <p>

         <style>

           div[data-test="other-column"],

           div[data-test="real-time-column"],

           button[data-test^='Previous business week'],

           button[data-test^='Business week to date'],

           button[data-test^='Year to date'],

           button[data-test^='Previous week'],

           button[data-test^='Previous month'],

           button[data-test^='Previous year'],

           button[data-test^='Yesterday'],

           div[data-test-panel-id^='real'],

           div[data-test-panel-id^='relative'],

           div[data-test-panel-id^='dateTime'],

           div[data-test-panel-id^='date'],

           div[data-test-panel-id^='advanced']

           {

           display:none !important;

           }

         </style>

        </p>

       </html>

    </panel>

  </row>

  <row>

    <panel>

      <title>Events Timechart</title>

      <chart>

        <search base="Main_Search">

          <query>| search UserType="$accttype$" AND User="$user$" AND Priority="$priority$" AND Result="$results$"

 

| timechart count</query>

        </search>

        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

        <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>

        <option name="charting.axisTitleX.visibility">collapsed</option>

        <option name="charting.axisTitleY.visibility">collapsed</option>

        <option name="charting.axisY.scale">linear</option>

        <option name="charting.axisY2.enabled">0</option>

        <option name="charting.chart">line</option>

        <option name="charting.chart.nullValueMode">gaps</option>

        <option name="charting.chart.resultTruncationLimit">1000000</option>

        <option name="charting.chart.showDataLabels">all</option>

        <option name="charting.chart.stackMode">default</option>

       <option name="charting.drilldown">none</option>

        <option name="charting.layout.splitSeries">0</option>

        <option name="charting.legend.labelStyle.overflowMode">ellipsisStart</option>

        <option name="charting.legend.placement">none</option>

        <option name="link.exportResults.visible">0</option>

        <option name="link.inspectSearch.visible">0</option>

        <option name="link.openPivot.visible">0</option>

        <option name="link.openSearch.visible">0</option>

        <option name="refresh.display">progressbar</option>

        <option name="refresh.link.visible">0</option>

      </chart>

    </panel>

  </row>

</form>
Labels (1)
0 Karma

esalesap
Path Finder

This worked for me.  My time picker input "token" value is "field3".

Change:

<search ref="my report"></search>

to:

<search ref="my report">
  <earliest>$field3.earliest$</earliest>
  <latest>$field3.latest$</latest>
</search>

 

 

0 Karma

Manyl
Loves-to-Learn Lots

Hello @mbasharat,

I've found a workaround by using the "where" command before a panel subsearch.

Example in your case :

...
    <panel>
      <title>Events Timechart</title>
      <chart>
        <search base="Main_Search">
          <query>where _time>=$timerange.earliest$ AND _time<=$timerange.latest$
| search UserType="$accttype$" AND User="$user$" AND Priority="$priority$" AND Result="$results$"
| timechart count</query>
        </search>
...

 Try to add in you query : "where _time>=$timerange.earliest$ AND _time<=$timerange.latest$"

Unfortunately, for timelines per example, I noticed that the display do not automatically scale the panel to the dashboard time range but the data that appears does match it.

Regards,
Manyl

0 Karma

Manyl
Loves-to-Learn Lots

Hello @mbasharat,

I am experiencing the same issue.
Even if I set a time range shorter than the one set in the report, the panel does not take it in consideration.
Did you find another way to make it work ?

I hope someone could answer to help us.

Regards,

Manyl 

0 Karma

phamryder
Observer

1. create a background search in order to convert timepicker into epoch time and create token values for new convereted fields.

</search>
<search>
<query>|makeresults</query>
<earliest>$period_token2.earliest$</earliest>
<latest>$period_token2.latest$</latest>
<progress>
<eval token="toearliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
<eval token="tolatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
<set token="jobearliest">$job.earliestTime$</set>
<set token="joblatest">$job.latestTime$</set>
</progress>
</search>


Then, add this logic into your panels 

| eval earliest = $toearliest$
| eval latest =if($tolatest$ <= 0, now(),$tolatest$)
| eval datefield=_time
| where datefield >= earliest AND datefield <= latest


if you want, you can also choose a different field other than _time. Just remember to convert that field into epoch time. 

 

Hope this helps!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...