Splunk Search

How do I calculate another time frame based on time input?

Kallantin
New Member

I am trying to build a dash where I need to calculate another earliest and latest based on an input of time.

The second time would get calculated depending on the values in a dropdown, see below example.

I want to add 90,180 or 1 year to the time set in the input="time". I have tried to add the calculations into the input but it is not returning any values. I have also tried to include

        | eval calc_early=strptime($main_time.earliest$,"%Y-%m-%d")
        | eval comp_early=relative_time(calc_early,$review_modifier$)
        | eval calc_late=strptime($main_time.latest$,"%Y-%m-%d")
        | eval comp_late=relative_time(calc_late,$review_modifier$)

In the query itself but that is also not working.

<input type="time" searchWhenChanged="true" token="main_time">
  <label>Date Range for 'over time' reports</label>
  <default>
    <earliest>-6mon@mon</earliest>
    <latest>now</latest>
  </default>
</input>
<input type="dropdown" searchWhenChanged="true" depends="$display_review$" token="compare_time">
  <label>Compare Range:</label>
  <default>Previous 180 Days</default>
    <choice value="Quarter">Previous Quarter</choice>
    <choice value="Halfyear">Previous 180 Days</choice>
    <choice value="Lastyear">Previous Year</choice>
    <change>
      <condition value="Quarter">
        <set token="review_modifier">-1q@q</set>
        <set token="review_epoch">7776000</set>
      </condition>
      <condition value="Halfyear">
        <set token="review_modifier">-6mon@mon</set>
        <set token="review_epoch">15552000</set>
      </condition>
      <condition value="Lastyear">
        <set token="review_modifier">-1y@y</set>
        <set token="review_epoch">31536000</set>
      </condition>
     <search>
      <query>
        | eval calc_early=strptime($main_time.earliest$,"%Y-%m-%d")
        | eval comp_early=relative_time(calc_early,$review_modifier$)
        | eval calc_late=strptime($main_time.latest$,"%Y-%m-%d")
        | eval comp_late=relative_time(calc_late,$review_modifier$)
      </query>
     </search>
     </change>
</input>

Any help appreciated as I am not sure what I am doing wrong.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...