Solved: Re: How do I get the time span (span=X) in a searc...

praspai · ‎10-19-2015

Hi,

I want the time span in a search to adjust based upon the time picker value.

i.e.

time picker is day, then span=1h
month, then span=1d
year, then span=1month

thanks ..

woodcock · ‎10-19-2015

Like this:

| makeresults
| addinfo
| eval timepickerSpanSeconds=(info_max_time - info_min_time)
| eval spanToken=case(timepickerSpanSeconds>=31536000, "1m",
                      timepickerSpanSeconds>=604800,   "1d",
                      timepickerSpanSeconds<60,        "1s",
                      timepickerSpanSeconds<3600,      "1m",
                      true(),                          "1h")
| map search="search index=* earliest=$info_min_time$ latest=$info_max_time$ | timechart count span=$spanToken$ BY host"

View solution in original post

woodcock · ‎10-19-2015

Like this:

| makeresults
| addinfo
| eval timepickerSpanSeconds=(info_max_time - info_min_time)
| eval spanToken=case(timepickerSpanSeconds>=31536000, "1m",
                      timepickerSpanSeconds>=604800,   "1d",
                      timepickerSpanSeconds<60,        "1s",
                      timepickerSpanSeconds<3600,      "1m",
                      true(),                          "1h")
| map search="search index=* earliest=$info_min_time$ latest=$info_max_time$ | timechart count span=$spanToken$ BY host"

praspai · ‎10-20-2015

Its perfectly working in searches but not in Dashboard. Its not picking value from time picker

woodcock · ‎10-20-2015

You have to play around with the dollar-sign because it is used both by the XML and by the map command in the search. Try adding a second one to each occurrence.

praspai · ‎10-20-2015

Thanks ...

woodcock · ‎02-26-2016

You can also do it like this:

... | timechart [
|makeresults 
| addinfo 
| eval timepickerSpanSeconds=(info_max_time - info_min_time) 
| eval span=case(
   timepickerSpanSeconds>=31536000, "1m", 
   timepickerSpanSeconds>=604800, "1d", 
   timepickerSpanSeconds<60, "1s", 
   timepickerSpanSeconds<3600, "1m", 
   true(), "1h") 
| table span 
| format "" "" "" "" "" ""] count BY host

This solution avoids the whole dollar-sign problem entirely.

dbcase · ‎09-15-2016

modify this earliest=$info_min_time$ latest=$info_max_time$ to look like this earliest=$$info_min_time$$ latest=$$info_max_time$$

woodcock · ‎10-20-2015

That's the best I have.

somesoni2 · ‎10-19-2015

You can try any of these two methods

https://answers.splunk.com/answers/218928/how-to-dynamically-change-the-span-parameter-for-a.html

https://answers.splunk.com/answers/79779/passing-span-as-argument-to-timechart.html

How do I get the time span (span=X) in a search to automatically adjust depending on the time picker value chosen?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?