Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dynamic time creation based on time picker

ethanhunt
Explorer
‎09-20-2023 12:13 PM

Hi,

I have a dashboard that shows service tickets count based on different parameters. 

Now I need to show a trend for current year and previous year for the duration selected by the user in the time picker.

For example, if the user selects time from Jan 1, 2023 to Apr 1, 2023 in the time picker , then I need to form a query to select the same duration of previous year( Jan 1, 2022 to Apr 1, 2022) and show the trend .

How to create the previous year duration based on the duration selected in the time picker.  Please advise.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-20-2023 04:33 PM

The linked article by @dmacintosh_splu shows you how to create the relative comparable time for the same period in the previous year using a dummy search. To make the 1 year calculation, I would do

  <search>
    <query>
| makeresults
| addinfo
| eval prev_year_earliest=relative(info_min_time, "-1y")
| eval prev_year_latest=relative(info_max_time, "-1y")
| fields prev_*
    </query>
    <done>
      <set token="prev_year_earliest">$result.prev_year_earliest$</eval>
      <set token="prev_year_latest">$result.prev_year_latest$</eval>
    </done>
  </search>

what is that you can't do specifically? Do you want a single panel to show both years on a timechart - when you say trend, do you mean a straight line indicating direction or comparative data points for the previous year?

If you want a single panel showing both years, then you still need the above search and your main search to populate the data will be something like this to include both token sets and then timewrap to wrap previous year to current year

search (earliest=$time.earliest$ latest=$time.latest$) OR 
       (earliest=$prev_year_earliest$ latest=$prev_year_latest$)
...
| timechart ...
| timewrap 1y

 

View solution in original post

Reply
Solved! Jump to solution

ethanhunt
Explorer
‎09-20-2023 02:03 PM

Thanks @dmacintosh_splu for the response, but i doesn't really help me.  When i select the duration in the time picker, say from Jan 1, 2023 to May 1, 2023 , then my dashboard will have to use the trend for the number of tickets in first panel and the trend for the number of the tickets in the second panel for the same duration for previous year (Jan 1, 2022 to May 1, 2022). 

I am not sure how to frame the search query for extracting the tickets trend for previous year.

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-20-2023 04:33 PM

The linked article by @dmacintosh_splu shows you how to create the relative comparable time for the same period in the previous year using a dummy search. To make the 1 year calculation, I would do

  <search>
    <query>
| makeresults
| addinfo
| eval prev_year_earliest=relative(info_min_time, "-1y")
| eval prev_year_latest=relative(info_max_time, "-1y")
| fields prev_*
    </query>
    <done>
      <set token="prev_year_earliest">$result.prev_year_earliest$</eval>
      <set token="prev_year_latest">$result.prev_year_latest$</eval>
    </done>
  </search>

what is that you can't do specifically? Do you want a single panel to show both years on a timechart - when you say trend, do you mean a straight line indicating direction or comparative data points for the previous year?

If you want a single panel showing both years, then you still need the above search and your main search to populate the data will be something like this to include both token sets and then timewrap to wrap previous year to current year

search (earliest=$time.earliest$ latest=$time.latest$) OR 
       (earliest=$prev_year_earliest$ latest=$prev_year_latest$)
...
| timechart ...
| timewrap 1y

 

Reply
Solved! Jump to solution

ethanhunt
Explorer
‎09-25-2023 07:54 AM

Thanks @bowesmana for the solution, it worked like a charm !!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...