Splunk Search

Converting time in Time token to limit results till a particular date

pushpender07
Explorer

I need to create a panel in dashboard which gives me list of activities till 23rd July 2017. Now, I don't want the start time to be fixed but it to be user defined in the panel, so I have created a dropdown where users can select time duration. Now, endtime ensures the output never goes beyond 23rd July. But I want the start time to be dynamic based on what user select. So if user selects last 30 days, start time should be 25th June and results should be from 25th June to 23 July. When I run the below query, it gives a parse error. Any solution to this please. How can I set starttime based on what user selects in the dropdown.

  <title>Activities (till 23rd July 2017)</title>
  <input type="time" token="time_token">
    <label>Select Time duration</label>
    <default>
      <earliest>-30d@d</earliest>
      <latest>now</latest>
    </default>
  </input>

    <search>
      <query>index=ABC sourcetype=server123 starttime="$time_token.earliest$" endtime="07/23/2017:00:00:00" |stats count by activity
      <earliest>-30d@d</earliest>
      <latest>now</latest>
      <sampleRatio>1</sampleRatio>

</panel>
Tags (1)
0 Karma
1 Solution

sbbadri
Motivator

Try below, i have converted July 23rd, 2017 to epoch time

<query>index=ABC sourcetype=server123 earliest=$time_token.earliest$ latest=1500782400 |stats count by activity</query>

or

<query>index=ABC sourcetype=server123 starttime=$time_token.earliest$ endtime=1500782400 |stats count by activity</query>

View solution in original post

0 Karma

niketn
Legend

@pushpender07, Using Time Control when the latest time is fixed and earliest keeps on changing can be confusing. For example "Last 7 Days" option in Time Control on 07/27 will set the earliest date to 07/20. When ideally "7 Days ago" option should be present to allow earliest time as 07/17 when the last date is fixed at 07/23. Using time control can be confusing/erroneous when someone selects 07/26 or even Yesterday for earliest time then the Search will fail as fixed latest time 07/23 can not be earlier than earliest time.

You can create your own dropdown to set valid earliest time.

Please find run anywhere code for the two options

alt text

  <search id="fromTimeControl">
    <query>|makeresults</query>
    <earliest>$selEarliestFromTimeControl.earliest$</earliest>
    <done>
      <eval token="tokEarliestFromTimeControl">strptime($job.earliestTime$,"%Y-%m-%d %H:%M:%S")</eval>
    </done>
  </search>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <input type="time" token="selEarliestFromTimeControl" searchWhenChanged="true">
        <label>Select Earliest (Time Control)</label>
        <default>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </default>
      </input>
    </panel>
    <panel>
      <input type="dropdown" token="selEarliestFromDropDown" searchWhenChanged="true">
        <label>Select Earliest Time (Dropdown)</label>
        <choice value="-30d">30 days before</choice>
        <choice value="-7d">7 days before</choice>
        <choice value="-1d">1 day before</choice>
        <change>
          <eval token="tokEarliestFromDropDown">relative_time(strptime("07/23/2017:00:00:00","%m/%d/%Y:%H:%M:%S"),$value$)</eval>
        </change>
        <default>-7d</default>
      </input>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Search from Time Control</title>
        <search>
          <query>index="_internal" sourcetype="splunkd" log_level!="INFO" earliest="$tokEarliestFromTimeControl$" latest="07/23/2017:00:00:00"| timechart count</query>
        </search>
        <option name="charting.chart">column</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Search from Time Dropdown</title>
        <search>
          <query>index="_internal" sourcetype="splunkd" log_level!="INFO" earliest="$tokEarliestFromDropDown$" latest="07/23/2017:00:00:00"| timechart count</query>
        </search>
        <option name="charting.chart">column</option>
      </chart>
    </panel>
  </row>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

pushpender07
Explorer

Hi, I will try to use it. As I am new to splunk, it might take time for me to figure this out. Thanks!

0 Karma

sbbadri
Motivator

Try below, i have converted July 23rd, 2017 to epoch time

<query>index=ABC sourcetype=server123 earliest=$time_token.earliest$ latest=1500782400 |stats count by activity</query>

or

<query>index=ABC sourcetype=server123 starttime=$time_token.earliest$ endtime=1500782400 |stats count by activity</query>

0 Karma

pushpender07
Explorer

Hi, Thanks for the input. This does not solve the issue as I get a parse error when I try to use this.

0 Karma

sbbadri
Motivator

can you paste full error.

0 Karma

pushpender07
Explorer

I get the following error "Unable to parse -30d@d with format: %m/%d/%Y:%H:%M:%S".
time_token.earliest is -30d@d by default

0 Karma

sbbadri
Motivator

try below

<form>
<label>test_tr</label>
<fieldset submitButton="false">
<input type="time" token="time_token">
<label>Select a time range before july 23rd</label>
<default>
<earliest>-30d@d</earliest>
<latest>1500782400 </latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=_internal sourcetype=splunkd group=queue earliest=$time_token.earliest$ latest=1500782400 | stats count by group _time | reverse</query>

</search>
</table>
</panel>
</row>
</form>

0 Karma

pushpender07
Explorer

yup, this works. Thanks a bunch!

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...