Splunk Search

Calculate time and doubling it from the user selection

andreafebbo
Communicator

Hi all.
I have a normal time selector in splunk that I think that everybody know.

alt text

I noticed that in my dashboard it gets used in the following way:

<search>
    <query>MY QUERY</query>
    <earliest>$field1.earliest$</earliest>
    <latest>$field1.latest$</latest>
</search>

Now, what I want to do is to double the time range selected by the user.

For instance, if the user select 1 week, I want to pick 2 weeks.
Same thing for days, months, hours and any time range .

If the user pick some strange period (es: from 1st January to 21 February ) I want to maintain the closest selection (21 February ) and double the chosen time.

1st January to 21 February = 51 days

51 * 2 = 102

21 February - 102 days = 11 November

How can I do this in my code.
I'm also willing to trasform my dashboard in HTML (I think I'll do it anyway later).

Thanks a lot!


Thank you a lot Sundareshr!

I tried to implement your solution but for some reason it does not work.
the code is the following:

BASE QUERY [
 | makeresults 
 | eval earliest=if(isnum($field1.earliest$), $field1.earliest$, relative_time(now(), "$field1.earliest$") 
 | eval latest=if(isnum($field1.latest$), $field1.latest$, relative_time(now(), "$field1.latest$")  
 | eval span=latest-earliest
 | eval mid=earliest
 | eval earliest=earliest-span 
 | table earliest latest mid] 
 | eval when=if(_time>relative_time(now(), mid), "Current_Period", "Prev_Period") 
 | stats count as events by  source when 
 | chart sum(events) by source, when 
 | eval perc = (Current_Period-Prev_Period)/Prev_Period
 | eval trend = case(perc < -0.3, "low", (perc >= -0.3 and perc <= 0.3 ), "madium", perc > 0.3, "high")
 | table source, Current_Period, Prev_Period, perc, trend

It shows me the following error

Error in 'eval' command: The expression is malformed. Expected ).

in your part of the code I changed this

eval span=latest=earliest

to this:

eval span=latest-earliest

Because I thought it was a typo

Thanks a lot again


There is something wrong with the formatting that te selector gives to the variable.

If i chose "from the beginning of the week" i get thios error:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '@w1), @w1, relative_time(now(), "@w1"))'.

for the month is like this:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '@mon), @mon, relative_time(now(), "@mon"))'.

if i choose always is like this:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ', relative_time(now(), ""))'.

if i choose between 2 dates is like this:

Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side.

if i choose last 7 days is like this

Error in 'eval' command: The expression is malformed. Expected ).

Thank you

1 Solution

sundareshr
Legend

Try this in you search/query (MY QUERY)

  base search [
  | makeresults 
  | eval earliest=if(isnum($field1.earliest$), $field1.earliest$, relative_time(now(), "$field1.earliest$")) 
  | eval latest=if(isnum($field1.latest$), $field1.latest$, relative_time(now(), "$field1.latest$"))  
  | eval span=latest-earliest
  | eval earliest=earliest-span 
  | table earliest latest ] | rest of your query

And here is rest of your query with calculation for mid

  | eval mid=$field1.earliest$
  | eval when=if(_time>relative_time(now(), mid), "Current_Period", "Prev_Period") 
  | stats count as events by  source when 
  | chart sum(events) by source, when 
  | eval perc = (Current_Period-Prev_Period)/Prev_Period
  | eval trend = case(perc < -0.3, "low", (perc >= -0.3 and perc <= 0.3 ), "medium", perc > 0.3, "high")
  | table source, Current_Period, Prev_Period, perc, trend

View solution in original post

sundareshr
Legend

Try this in you search/query (MY QUERY)

  base search [
  | makeresults 
  | eval earliest=if(isnum($field1.earliest$), $field1.earliest$, relative_time(now(), "$field1.earliest$")) 
  | eval latest=if(isnum($field1.latest$), $field1.latest$, relative_time(now(), "$field1.latest$"))  
  | eval span=latest-earliest
  | eval earliest=earliest-span 
  | table earliest latest ] | rest of your query

And here is rest of your query with calculation for mid

  | eval mid=$field1.earliest$
  | eval when=if(_time>relative_time(now(), mid), "Current_Period", "Prev_Period") 
  | stats count as events by  source when 
  | chart sum(events) by source, when 
  | eval perc = (Current_Period-Prev_Period)/Prev_Period
  | eval trend = case(perc < -0.3, "low", (perc >= -0.3 and perc <= 0.3 ), "medium", perc > 0.3, "high")
  | table source, Current_Period, Prev_Period, perc, trend
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...