Splunk Search

Dynamic time creation based on time picker

ethanhunt
Explorer

Hi,

I have a dashboard that shows service tickets count based on different parameters. 

Now I need to show a trend for current year and previous year for the duration selected by the user in the time picker.

For example, if the user selects time from Jan 1, 2023 to Apr 1, 2023 in the time picker , then I need to form a query to select the same duration of previous year( Jan 1, 2022 to Apr 1, 2022) and show the trend .

How to create the previous year duration based on the duration selected in the time picker.  Please advise.

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

The linked article by @dmacintosh_splu shows you how to create the relative comparable time for the same period in the previous year using a dummy search. To make the 1 year calculation, I would do

  <search>
    <query>
| makeresults
| addinfo
| eval prev_year_earliest=relative(info_min_time, "-1y")
| eval prev_year_latest=relative(info_max_time, "-1y")
| fields prev_*
    </query>
    <done>
      <set token="prev_year_earliest">$result.prev_year_earliest$</eval>
      <set token="prev_year_latest">$result.prev_year_latest$</eval>
    </done>
  </search>

what is that you can't do specifically? Do you want a single panel to show both years on a timechart - when you say trend, do you mean a straight line indicating direction or comparative data points for the previous year?

If you want a single panel showing both years, then you still need the above search and your main search to populate the data will be something like this to include both token sets and then timewrap to wrap previous year to current year

search (earliest=$time.earliest$ latest=$time.latest$) OR 
       (earliest=$prev_year_earliest$ latest=$prev_year_latest$)
...
| timechart ...
| timewrap 1y

 

View solution in original post

ethanhunt
Explorer

Thanks @dmacintosh_splu for the response, but i doesn't really help me.  When i select the duration in the time picker, say from Jan 1, 2023 to May 1, 2023 , then my dashboard will have to use the trend for the number of tickets in first panel and the trend for the number of the tickets in the second panel for the same duration for previous year (Jan 1, 2022 to May 1, 2022). 

I am not sure how to frame the search query for extracting the tickets trend for previous year.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

The linked article by @dmacintosh_splu shows you how to create the relative comparable time for the same period in the previous year using a dummy search. To make the 1 year calculation, I would do

  <search>
    <query>
| makeresults
| addinfo
| eval prev_year_earliest=relative(info_min_time, "-1y")
| eval prev_year_latest=relative(info_max_time, "-1y")
| fields prev_*
    </query>
    <done>
      <set token="prev_year_earliest">$result.prev_year_earliest$</eval>
      <set token="prev_year_latest">$result.prev_year_latest$</eval>
    </done>
  </search>

what is that you can't do specifically? Do you want a single panel to show both years on a timechart - when you say trend, do you mean a straight line indicating direction or comparative data points for the previous year?

If you want a single panel showing both years, then you still need the above search and your main search to populate the data will be something like this to include both token sets and then timewrap to wrap previous year to current year

search (earliest=$time.earliest$ latest=$time.latest$) OR 
       (earliest=$prev_year_earliest$ latest=$prev_year_latest$)
...
| timechart ...
| timewrap 1y

 

ethanhunt
Explorer

Thanks @bowesmana for the solution, it worked like a charm !!!!

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...