Splunk Search

Dashboard: How can I convert a token from a "Time Picker" into a unit of time like minutes?

danielbarr
Explorer

Hi everyone,

Here's the process I'm trying to do.

Initial Conversion
1. Use a "Time Picker" input -->
2. Take the time selected -->
3. Convert that into a token that stores the value in minutes

Example & Usage of the Token
1. User selects desired selection from the time picker input -->
ex: Selected time is "last 4 hours"
2. a token is then given the value in minutes
ex: $sel_time$ = 240 -->
3. use the token inside a custom time frame
ex: 7d-$sel_time$


I'm not sure how the time picker is formatted or stored, so I'm having trouble. Thanks!

sgadde
Explorer

  

<input type="time" searchWhenChanged="true">
  <label></label>
  <default>
    <earliest>-7d@w0</earliest>
    <latest>@w0</latest>
  </default>
  <change>
    <condition match="isnum($earliest$) OR isnum($latest$)">
      <eval token="sel_time">tostring(($latest$-$earliest$)/60)+"m"</eval>
    </condition>
    <condition>
      <eval token="sel_time">tostring((relative_time(now(), $latest$)-relative_time(now(), $earliest$))/60)+"m"</eval>
    </condition>
  </change>
</input>


<panel>
  <table>
    <title>$sel_time$</title>
    <search>
      <query>index=_internal | head 1 |eval minutes=$sel_time|s$ , earliest=$earliest|s$, latest=$latest|s$ | table earliest, latest, minutes</query>
      <earliest>$earliest$</earliest>
      <latest>$earliest$</latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="drilldown">row</option>
    <option name="dataOverlayMode">none</option>
    <option name="count">10</option>
  </table>
</panel>

This will create a new token,sel_time, which calculates the minutes contained in the time range.
Time picker gives you earliest and latest tokens in epoch/Unix timestamp ( if you select date range or specify date/time explicilty) or in string format like "-7d@w0" (if you select relative time range presets).

Logic: sel_time token is set based on the type of earliest and latest.

  • If both are numeric, sel_time token is the difference between the epoch provided by the latest and earliest tokens of your time picker input divided by 60.
  • For all other cases, latest and earliest tokens are converted to epoch and the difference in seconds is divided by 60 and stored in sel_time token.

In your question: 3. use the token inside a custom time frame ex: 7d-$sel_time$, your $sel_time$ should have m at the end to specify that the value given by $sel_time$ is in minutes.

Here the string conversion and the concatenation of "m" at the end is done so sel_time token can be used along with relative time presets without modification.

tmcmaster
Explorer

Thanks for this. From my testing I didn't even need the conditional on the isnum.

   <change>
       <eval token="sel_time">tostring((relative_time(now(), $latest$)-relative_time(now(), $earliest$))/60)+"m"</eval>
   </change>

My only issue now is initializing the string. It works great on changes, but init doesn't seem to have the values in the time picker yet.

0 Karma

koenphilipsen
Engager

Thanks! This helped me a lot.
But I think you have to change the references to the variables like this:

    <input type="time" searchWhenChanged="true">
      <label>Time Picker</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
      <change>
        <condition match="isnum(earliest)">
          <eval token="sel_time">tostring((latest-earliest)/60)+"m"</eval>
        </condition>
        <condition>
          <eval token="sel_time">tostring((relative_time(now(), latest)-relative_time(now(), earliest))/60)+"m"</eval>
        </condition>
      </change>
    </input>
0 Karma

sgadde
Explorer

I think earliest and latest should be enclosed in $ since they are tokens. I've used a similar piece of code and that worked for me.

0 Karma

sundareshr
Legend

Try this

  <fieldset submitButton="false">
    <input type="time" token="t" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>0</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal | head 1 | eval x=strftime(relative_time(now(), "$t.earliest$"), "%c") | table _time x</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
0 Karma

danielbarr
Explorer

I'm not sure how to use this for my case. All I want is the timespan selected in minutes, not the formatted date. So if they select 60 minutes the token would just be $sel_timespan$ = 60. Maybe I'm misunderstanding what you did here.

I think I'd have to take the two time periods your code gives and then subtract them to get the time in minutes.

Thanks.

0 Karma

neluvasilica
Explorer

@danielbarr, did you manage to get this working? I am trying to achieve the same think but without great success...

0 Karma

sundareshr
Legend

You could do eval e=relative_time(now(), "$t.earliest$" | eval l=relative_time(now(), "$t.latest$" | eval dur=l-e to get the duration

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!