@ITWhisper As per the Below Screenshot I want to add Custom time frame. Where user can able to select any time frame and compare the results.
Please help to understand the logic.
@ITWhisperer As per below Where I need to use the token.
My Current SPL is Like :
index=ecomm_sfcc_prod sourcetype=sfcc_logs source="/mnt/webdav/*.log" "Order created successfully" $country_s1$ ((earliest=@m-$earliest_tok$ latest=@m) OR (earliest=@m-6d-$earliest_tok$ latest=@m-6d))
| rex field=_raw "Payment\s+Method\:\s(?<Payment_Method>[A-Za-z0-9.+]+)"
| rex field=_raw "Device\sType\:\s+(?<Device_Type>[A-Za-z0-9.+]+)"
| eval Device_Type=upper(Device_Type)
| search Device_Type="$Device_t$"
| eval date_hour=strftime(_time, "%H:%M%p %Z")
| eval time=date_hour
| eval date=date_month.":".date_mday
| chart count by time date
Current XML setting :
<input type="radio" token="period_tok" searchWhenChanged="true">
<label>Select a time range</label>
<choice value="5m">Last 5 minute</choice>
<choice value="15m">Last 15 minute</choice>
<choice value="60m">Last 60 Minute</choice>
<choice value="3h">Last 3 hours</choice>
<choice value="6h">Last 6 hours</choice>
<!-- set condition based on the label defined by <choice> -->
<!-- Within each condition, specify a custom label for display -->
<!-- Capture the selected value in the token, earliest_tok -->
<change>
<condition label="Last 60 Minute">
<set token="date_label">Last 60 minutes</set>
<set token="earliest_tok">$value$</set>
</condition>
<condition label="Last 6 hours">
<set token="date_label">Last 6 hours</set>
<set token="earliest_tok">$value$</set>
</condition>
<condition label="Last 3 hours">
<set token="date_label">Last 3 hours</set>
<set token="earliest_tok">$value$</set>
</condition>
<condition label="Last 5 minute">
<set token="date_label">Last 5 minutes</set>
<set token="earliest_tok">$value$</set>
</condition>
<condition label="Last 15 minute">
<set token="date_label">Last 15 minutes</set>
<set token="earliest_tok">$value$</set>
</condition>
Does what you are doing not already work?
Setting earliest_tok is a bit superfluous as the value is already available in period_tok
index=ecomm_sfcc_prod sourcetype=sfcc_logs source="/mnt/webdav/*.log" "Order created successfully" $country_s1$ ((earliest=@m-$period_tok$ latest=@m) OR (earliest=@m-6d-$period_tok$ latest=@m-6d))
| rex field=_raw "Payment\s+Method\:\s(?<Payment_Method>[A-Za-z0-9.+]+)"
| rex field=_raw "Device\sType\:\s+(?<Device_Type>[A-Za-z0-9.+]+)"
| eval Device_Type=upper(Device_Type)
| search Device_Type="$Device_t$"
| eval date_hour=strftime(_time, "%H:%M%p %Z")
| eval time=date_hour
| eval date=date_month.":".date_mday
| chart count by time date
@ITWhisperer My previous token "earliest_tok" worked fine no issue I have faced, Here I am 5 custom time frame selector. As per the user he wants custom time frame from where he can select any time. Like 2 hours, 3 hours, 6 hours, 7 hours. Because Its tedious for me create multiple Time frames selector.
You could just have a text input where the user puts 2h or 3h etc?
@ITWhisperer Can't we Create this time of time frame with the custom ones.
Can't we Create this time of time frame with the custom ones.
How would that work if the user selected previous year, for example? What about "All time"? What about using the advanced setting? You probably need to think this through and decide / agree with your user what the precise requirement is.
@ITWhisperer I will verify with them.
Thanks for all your support
One way to do this is to have the corresponding string as the value for each of the labels in your custom time range selector. For example: last 15 minutes might have a value of "((earliest=@m-15m latest=@m) OR (earliest=@m-1w-15m latest=@m-1w))", then you just use the token in your search instead of the current setting