Splunk Search

Calculate time and doubling it from the user selection

andreafebbo
Communicator

Hi all.
I have a normal time selector in splunk that I think that everybody know.

alt text

I noticed that in my dashboard it gets used in the following way:

<search>
    <query>MY QUERY</query>
    <earliest>$field1.earliest$</earliest>
    <latest>$field1.latest$</latest>
</search>

Now, what I want to do is to double the time range selected by the user.

For instance, if the user select 1 week, I want to pick 2 weeks.
Same thing for days, months, hours and any time range .

If the user pick some strange period (es: from 1st January to 21 February ) I want to maintain the closest selection (21 February ) and double the chosen time.

1st January to 21 February = 51 days

51 * 2 = 102

21 February - 102 days = 11 November

How can I do this in my code.
I'm also willing to trasform my dashboard in HTML (I think I'll do it anyway later).

Thanks a lot!


Thank you a lot Sundareshr!

I tried to implement your solution but for some reason it does not work.
the code is the following:

BASE QUERY [
 | makeresults 
 | eval earliest=if(isnum($field1.earliest$), $field1.earliest$, relative_time(now(), "$field1.earliest$") 
 | eval latest=if(isnum($field1.latest$), $field1.latest$, relative_time(now(), "$field1.latest$")  
 | eval span=latest-earliest
 | eval mid=earliest
 | eval earliest=earliest-span 
 | table earliest latest mid] 
 | eval when=if(_time>relative_time(now(), mid), "Current_Period", "Prev_Period") 
 | stats count as events by  source when 
 | chart sum(events) by source, when 
 | eval perc = (Current_Period-Prev_Period)/Prev_Period
 | eval trend = case(perc < -0.3, "low", (perc >= -0.3 and perc <= 0.3 ), "madium", perc > 0.3, "high")
 | table source, Current_Period, Prev_Period, perc, trend

It shows me the following error

Error in 'eval' command: The expression is malformed. Expected ).

in your part of the code I changed this

eval span=latest=earliest

to this:

eval span=latest-earliest

Because I thought it was a typo

Thanks a lot again


There is something wrong with the formatting that te selector gives to the variable.

If i chose "from the beginning of the week" i get thios error:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '@w1), @w1, relative_time(now(), "@w1"))'.

for the month is like this:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '@mon), @mon, relative_time(now(), "@mon"))'.

if i choose always is like this:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ', relative_time(now(), ""))'.

if i choose between 2 dates is like this:

Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side.

if i choose last 7 days is like this

Error in 'eval' command: The expression is malformed. Expected ).

Thank you

1 Solution

sundareshr
Legend

Try this in you search/query (MY QUERY)

  base search [
  | makeresults 
  | eval earliest=if(isnum($field1.earliest$), $field1.earliest$, relative_time(now(), "$field1.earliest$")) 
  | eval latest=if(isnum($field1.latest$), $field1.latest$, relative_time(now(), "$field1.latest$"))  
  | eval span=latest-earliest
  | eval earliest=earliest-span 
  | table earliest latest ] | rest of your query

And here is rest of your query with calculation for mid

  | eval mid=$field1.earliest$
  | eval when=if(_time>relative_time(now(), mid), "Current_Period", "Prev_Period") 
  | stats count as events by  source when 
  | chart sum(events) by source, when 
  | eval perc = (Current_Period-Prev_Period)/Prev_Period
  | eval trend = case(perc < -0.3, "low", (perc >= -0.3 and perc <= 0.3 ), "medium", perc > 0.3, "high")
  | table source, Current_Period, Prev_Period, perc, trend

View solution in original post

sundareshr
Legend

Try this in you search/query (MY QUERY)

  base search [
  | makeresults 
  | eval earliest=if(isnum($field1.earliest$), $field1.earliest$, relative_time(now(), "$field1.earliest$")) 
  | eval latest=if(isnum($field1.latest$), $field1.latest$, relative_time(now(), "$field1.latest$"))  
  | eval span=latest-earliest
  | eval earliest=earliest-span 
  | table earliest latest ] | rest of your query

And here is rest of your query with calculation for mid

  | eval mid=$field1.earliest$
  | eval when=if(_time>relative_time(now(), mid), "Current_Period", "Prev_Period") 
  | stats count as events by  source when 
  | chart sum(events) by source, when 
  | eval perc = (Current_Period-Prev_Period)/Prev_Period
  | eval trend = case(perc < -0.3, "low", (perc >= -0.3 and perc <= 0.3 ), "medium", perc > 0.3, "high")
  | table source, Current_Period, Prev_Period, perc, trend
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...