Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Compare x hours vs last 1 week ago

uagraw01
Motivator
‎09-07-2022 01:12 AM

@ITWhisper As per the Below Screenshot I want to add Custom time frame. Where user can able to select any time frame and compare the results.

Please help to understand the logic.

uagraw01_0-1662538497321.png

 

0 Karma
Reply

uagraw01
Motivator
‎09-07-2022 03:06 AM

@ITWhisperer  As per below Where I need to use the token.

 

My Current SPL is Like :

 

index=ecomm_sfcc_prod sourcetype=sfcc_logs source="/mnt/webdav/*.log" "Order created successfully" $country_s1$ ((earliest=@m-$earliest_tok$ latest=@m) OR (earliest=@m-6d-$earliest_tok$ latest=@m-6d))
| rex field=_raw "Payment\s+Method\:\s(?<Payment_Method>[A-Za-z0-9.+]+)"
| rex field=_raw "Device\sType\:\s+(?<Device_Type>[A-Za-z0-9.+]+)"
| eval Device_Type=upper(Device_Type)
| search Device_Type="$Device_t$"
| eval date_hour=strftime(_time, "%H:%M%p %Z")
| eval time=date_hour
| eval date=date_month.":".date_mday
| chart count by time date

 

Current XML setting :

 

<input type="radio" token="period_tok" searchWhenChanged="true">
<label>Select a time range</label>
<choice value="5m">Last 5 minute</choice>
<choice value="15m">Last 15 minute</choice>
<choice value="60m">Last 60 Minute</choice>
<choice value="3h">Last 3 hours</choice>
<choice value="6h">Last 6 hours</choice>
<!-- set condition based on the label defined by <choice> -->
<!-- Within each condition, specify a custom label for display -->
<!-- Capture the selected value in the token, earliest_tok -->
<change>
<condition label="Last 60 Minute">
<set token="date_label">Last 60 minutes</set>
<set token="earliest_tok">$value$</set>
</condition>
<condition label="Last 6 hours">
<set token="date_label">Last 6 hours</set>
<set token="earliest_tok">$value$</set>
</condition>
<condition label="Last 3 hours">
<set token="date_label">Last 3 hours</set>
<set token="earliest_tok">$value$</set>
</condition>
<condition label="Last 5 minute">
<set token="date_label">Last 5 minutes</set>
<set token="earliest_tok">$value$</set>
</condition>
<condition label="Last 15 minute">
<set token="date_label">Last 15 minutes</set>
<set token="earliest_tok">$value$</set>
</condition>

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-07-2022 03:21 AM

Does what you are doing not already work?

Setting earliest_tok is a bit superfluous as the value is already available in period_tok

index=ecomm_sfcc_prod sourcetype=sfcc_logs source="/mnt/webdav/*.log" "Order created successfully" $country_s1$ ((earliest=@m-$period_tok$ latest=@m) OR (earliest=@m-6d-$period_tok$ latest=@m-6d))
| rex field=_raw "Payment\s+Method\:\s(?<Payment_Method>[A-Za-z0-9.+]+)"
| rex field=_raw "Device\sType\:\s+(?<Device_Type>[A-Za-z0-9.+]+)"
| eval Device_Type=upper(Device_Type)
| search Device_Type="$Device_t$"
| eval date_hour=strftime(_time, "%H:%M%p %Z")
| eval time=date_hour
| eval date=date_month.":".date_mday
| chart count by time date
0 Karma
Reply

uagraw01
Motivator
‎09-07-2022 03:32 AM

@ITWhisperer My previous token "earliest_tok" worked fine no issue I have faced, Here I am 5 custom time frame selector. As per the user he wants custom time frame from where he can select any time. Like 2 hours, 3 hours, 6 hours, 7 hours. Because Its tedious for me create  multiple Time frames selector. 

uagraw01_0-1662546878689.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-07-2022 03:35 AM

You could just have a text input where the user puts 2h or 3h etc?

0 Karma
Reply

uagraw01
Motivator
‎09-07-2022 03:38 AM

@ITWhisperer Can't we Create this time of time frame with the custom ones.

0 Karma
Reply

uagraw01
Motivator
‎09-07-2022 03:40 AM

 

Can't we Create this time of time frame with the custom ones.

uagraw01_0-1662547508024.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-07-2022 03:54 AM

How would that work if the user selected previous year, for example? What about "All time"? What about using the advanced setting? You probably need to think this through and decide / agree with your user what the precise requirement is.

0 Karma
Reply

uagraw01
Motivator
‎09-07-2022 04:52 AM

@ITWhisperer I will verify with them.

Thanks for all your support

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-07-2022 02:59 AM

One way to do this is to have the corresponding string as the value for each of the labels in your custom time range selector. For example: last 15 minutes might have a value of "((earliest=@m-15m latest=@m) OR (earliest=@m-1w-15m latest=@m-1w))", then you just use the token in your search instead of the current setting

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...