Solved: Assigning a field value to "Earliest" "Latest" tim...

epw0rrell · ‎09-24-2020

Hello, I am interested in making the results of one index search (in particular the values of fields early and late) used in a different index search as values assigned to earliest latest.

My next search would search for all events using the early and late values of the previous search and assign them to earliest latest.

index="b" earliest=early latest=late

Everything I have tried up to this point seems to point to "earliest" and "latest" modifiers will not allow you to assign a field value to them. Essentially I want to perform the function that Splunk automates through its UI when it lets the user run a search on events before and after a given time.

Thanks for anyone that can help me and let me know if I can be clearer in explaining because sometimes it is hard to understand other people's context.

ITWhisperer · ‎09-24-2020

At the end of the first query in your dashboard, you can assign values to tokens. You can then use these tokens to set the earliest and latest values for a query in another dashboard

          <query>your query to find the values you want</query>
          <earliest>your time period start</earliest>
          <latest>your time period end</latest>
          <finalized>
                    <condition match=" 'job.resultCount' != 0">
                            <set token="tok_start">$result.early$</set>
                            <set token="tok_end">$result.late$</set>
                     </condition>
                     <condition>
                            <set token="tok_start"></set>
                            <set token="tok_end"></set>
                     </condition>
          </finalized>

View solution in original post

epw0rrell · ‎09-25-2020

ITWhisperer,

You are the best! It now works perfectly and I wish I could show you. Thank you so very much!!

epw0rrell · ‎09-25-2020

Thanks for your quick feedback. I placed the code within the first dashboard and it seems to not break anything. However, I am getting an error "waiting for input within dashboard 2. Where exactly would the "tok_start" and "tok_end" go within the dashboard. I tried applying them to:

<earliest>$tok_start.earliest$</earliest>
<latest>$tok_end.latest$</latest>

I also tried applying them to the fieldset portion of the Dashboard but it did not work then either.

ITWhisperer · ‎09-25-2020

Try:

<earliest>$tok_start$</earliest>
<latest>$tok_end$</latest>

Also, you might want to set tok_start and tok_end to sensible values (rather than blanks as I suggested as I don't know what would be sensible for your query). you should do this in the change handler as well as an init block near the top of your dashboard

ITWhisperer · ‎09-24-2020

At the end of the first query in your dashboard, you can assign values to tokens. You can then use these tokens to set the earliest and latest values for a query in another dashboard

          <query>your query to find the values you want</query>
          <earliest>your time period start</earliest>
          <latest>your time period end</latest>
          <finalized>
                    <condition match=" 'job.resultCount' != 0">
                            <set token="tok_start">$result.early$</set>
                            <set token="tok_end">$result.late$</set>
                     </condition>
                     <condition>
                            <set token="tok_start"></set>
                            <set token="tok_end"></set>
                     </condition>
          </finalized>

Assigning a field value to "Earliest" "Latest" time modifiers

eval

fields

subsearch

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life