Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculate time and doubling it from the user selection

andreafebbo
Communicator
‎08-30-2016 12:13 AM

Hi all.
I have a normal time selector in splunk that I think that everybody know.

alt text

I noticed that in my dashboard it gets used in the following way:

<search>
    <query>MY QUERY</query>
    <earliest>$field1.earliest$</earliest>
    <latest>$field1.latest$</latest>
</search>

Now, what I want to do is to double the time range selected by the user.

For instance, if the user select 1 week, I want to pick 2 weeks.
Same thing for days, months, hours and any time range .

If the user pick some strange period (es: from 1st January to 21 February ) I want to maintain the closest selection (21 February ) and double the chosen time.

1st January to 21 February = 51 days

51 * 2 = 102

21 February - 102 days = 11 November

How can I do this in my code.
I'm also willing to trasform my dashboard in HTML (I think I'll do it anyway later).

Thanks a lot!

Thank you a lot Sundareshr!

I tried to implement your solution but for some reason it does not work.
the code is the following:

BASE QUERY [
 | makeresults 
 | eval earliest=if(isnum($field1.earliest$), $field1.earliest$, relative_time(now(), "$field1.earliest$") 
 | eval latest=if(isnum($field1.latest$), $field1.latest$, relative_time(now(), "$field1.latest$")  
 | eval span=latest-earliest
 | eval mid=earliest
 | eval earliest=earliest-span 
 | table earliest latest mid] 
 | eval when=if(_time>relative_time(now(), mid), "Current_Period", "Prev_Period") 
 | stats count as events by  source when 
 | chart sum(events) by source, when 
 | eval perc = (Current_Period-Prev_Period)/Prev_Period
 | eval trend = case(perc < -0.3, "low", (perc >= -0.3 and perc <= 0.3 ), "madium", perc > 0.3, "high")
 | table source, Current_Period, Prev_Period, perc, trend

It shows me the following error

Error in 'eval' command: The expression is malformed. Expected ).

in your part of the code I changed this 

eval span=latest=earliest

to this:

eval span=latest-earliest

Because I thought it was a typo

Thanks a lot again

There is something wrong with the formatting that te selector gives to the variable.

If i chose "from the beginning of the week" i get thios error:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '@w1), @w1, relative_time(now(), "@w1"))'.

for the month is like this:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '@mon), @mon, relative_time(now(), "@mon"))'.

if i choose always is like this:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ', relative_time(now(), ""))'.

if i choose between 2 dates is like this:

Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side.

if i choose last 7 days is like this

Error in 'eval' command: The expression is malformed. Expected ).

Thank you

Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-31-2016 09:59 AM

Try this in you search/query (MY QUERY)

  base search [
  | makeresults 
  | eval earliest=if(isnum($field1.earliest$), $field1.earliest$, relative_time(now(), "$field1.earliest$")) 
  | eval latest=if(isnum($field1.latest$), $field1.latest$, relative_time(now(), "$field1.latest$"))  
  | eval span=latest-earliest
  | eval earliest=earliest-span 
  | table earliest latest ] | rest of your query

And here is rest of your query with calculation for mid

  | eval mid=$field1.earliest$
  | eval when=if(_time>relative_time(now(), mid), "Current_Period", "Prev_Period") 
  | stats count as events by  source when 
  | chart sum(events) by source, when 
  | eval perc = (Current_Period-Prev_Period)/Prev_Period
  | eval trend = case(perc < -0.3, "low", (perc >= -0.3 and perc <= 0.3 ), "medium", perc > 0.3, "high")
  | table source, Current_Period, Prev_Period, perc, trend

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-31-2016 09:59 AM

Try this in you search/query (MY QUERY)

  base search [
  | makeresults 
  | eval earliest=if(isnum($field1.earliest$), $field1.earliest$, relative_time(now(), "$field1.earliest$")) 
  | eval latest=if(isnum($field1.latest$), $field1.latest$, relative_time(now(), "$field1.latest$"))  
  | eval span=latest-earliest
  | eval earliest=earliest-span 
  | table earliest latest ] | rest of your query

And here is rest of your query with calculation for mid

  | eval mid=$field1.earliest$
  | eval when=if(_time>relative_time(now(), mid), "Current_Period", "Prev_Period") 
  | stats count as events by  source when 
  | chart sum(events) by source, when 
  | eval perc = (Current_Period-Prev_Period)/Prev_Period
  | eval trend = case(perc < -0.3, "low", (perc >= -0.3 and perc <= 0.3 ), "medium", perc > 0.3, "high")
  | table source, Current_Period, Prev_Period, perc, trend
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...