Splunk Search

Compare x hours vs last 1 week ago

uagraw01
Motivator

@ITWhisper As per the Below Screenshot I want to add Custom time frame. Where user can able to select any time frame and compare the results.

Please help to understand the logic.

uagraw01_0-1662538497321.png

 

0 Karma

uagraw01
Motivator

@ITWhisperer  As per below Where I need to use the token.

 

My Current SPL is Like :

 

index=ecomm_sfcc_prod sourcetype=sfcc_logs source="/mnt/webdav/*.log" "Order created successfully" $country_s1$ ((earliest=@m-$earliest_tok$ latest=@m) OR (earliest=@m-6d-$earliest_tok$ latest=@m-6d))
| rex field=_raw "Payment\s+Method\:\s(?<Payment_Method>[A-Za-z0-9.+]+)"
| rex field=_raw "Device\sType\:\s+(?<Device_Type>[A-Za-z0-9.+]+)"
| eval Device_Type=upper(Device_Type)
| search Device_Type="$Device_t$"
| eval date_hour=strftime(_time, "%H:%M%p %Z")
| eval time=date_hour
| eval date=date_month.":".date_mday
| chart count by time date

 

Current XML setting :

 

<input type="radio" token="period_tok" searchWhenChanged="true">
<label>Select a time range</label>
<choice value="5m">Last 5 minute</choice>
<choice value="15m">Last 15 minute</choice>
<choice value="60m">Last 60 Minute</choice>
<choice value="3h">Last 3 hours</choice>
<choice value="6h">Last 6 hours</choice>
<!-- set condition based on the label defined by <choice> -->
<!-- Within each condition, specify a custom label for display -->
<!-- Capture the selected value in the token, earliest_tok -->
<change>
<condition label="Last 60 Minute">
<set token="date_label">Last 60 minutes</set>
<set token="earliest_tok">$value$</set>
</condition>
<condition label="Last 6 hours">
<set token="date_label">Last 6 hours</set>
<set token="earliest_tok">$value$</set>
</condition>
<condition label="Last 3 hours">
<set token="date_label">Last 3 hours</set>
<set token="earliest_tok">$value$</set>
</condition>
<condition label="Last 5 minute">
<set token="date_label">Last 5 minutes</set>
<set token="earliest_tok">$value$</set>
</condition>
<condition label="Last 15 minute">
<set token="date_label">Last 15 minutes</set>
<set token="earliest_tok">$value$</set>
</condition>

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Does what you are doing not already work?

Setting earliest_tok is a bit superfluous as the value is already available in period_tok

index=ecomm_sfcc_prod sourcetype=sfcc_logs source="/mnt/webdav/*.log" "Order created successfully" $country_s1$ ((earliest=@m-$period_tok$ latest=@m) OR (earliest=@m-6d-$period_tok$ latest=@m-6d))
| rex field=_raw "Payment\s+Method\:\s(?<Payment_Method>[A-Za-z0-9.+]+)"
| rex field=_raw "Device\sType\:\s+(?<Device_Type>[A-Za-z0-9.+]+)"
| eval Device_Type=upper(Device_Type)
| search Device_Type="$Device_t$"
| eval date_hour=strftime(_time, "%H:%M%p %Z")
| eval time=date_hour
| eval date=date_month.":".date_mday
| chart count by time date
0 Karma

uagraw01
Motivator

@ITWhisperer My previous token "earliest_tok" worked fine no issue I have faced, Here I am 5 custom time frame selector. As per the user he wants custom time frame from where he can select any time. Like 2 hours, 3 hours, 6 hours, 7 hours. Because Its tedious for me create  multiple Time frames selector. 

uagraw01_0-1662546878689.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You could just have a text input where the user puts 2h or 3h etc?

0 Karma

uagraw01
Motivator

@ITWhisperer Can't we Create this time of time frame with the custom ones.

0 Karma

uagraw01
Motivator

 

Can't we Create this time of time frame with the custom ones.

uagraw01_0-1662547508024.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

How would that work if the user selected previous year, for example? What about "All time"? What about using the advanced setting? You probably need to think this through and decide / agree with your user what the precise requirement is.

0 Karma

uagraw01
Motivator

@ITWhisperer I will verify with them.

Thanks for all your support

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

One way to do this is to have the corresponding string as the value for each of the labels in your custom time range selector. For example: last 15 minutes might have a value of "((earliest=@m-15m latest=@m) OR (earliest=@m-1w-15m latest=@m-1w))", then you just use the token in your search instead of the current setting

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...