Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I get the time span (span=X) in a search to automatically adjust depending on the time picker value chosen?

praspai
Path Finder
‎10-19-2015 07:09 AM

Hi,

I want the time span in a search to adjust based upon the time picker value.

i.e.

time picker is day, then span=1h
month, then span=1d
year, then span=1month

thanks ..

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-19-2015 04:47 PM

Like this:

| makeresults
| addinfo
| eval timepickerSpanSeconds=(info_max_time - info_min_time)
| eval spanToken=case(timepickerSpanSeconds>=31536000, "1m",
                      timepickerSpanSeconds>=604800,   "1d",
                      timepickerSpanSeconds<60,        "1s",
                      timepickerSpanSeconds<3600,      "1m",
                      true(),                          "1h")
| map search="search index=* earliest=$info_min_time$ latest=$info_max_time$ | timechart count span=$spanToken$ BY host"

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-19-2015 04:47 PM

Like this:

| makeresults
| addinfo
| eval timepickerSpanSeconds=(info_max_time - info_min_time)
| eval spanToken=case(timepickerSpanSeconds>=31536000, "1m",
                      timepickerSpanSeconds>=604800,   "1d",
                      timepickerSpanSeconds<60,        "1s",
                      timepickerSpanSeconds<3600,      "1m",
                      true(),                          "1h")
| map search="search index=* earliest=$info_min_time$ latest=$info_max_time$ | timechart count span=$spanToken$ BY host"
Reply
Solved! Jump to solution

praspai
Path Finder
‎10-20-2015 07:25 AM

Its perfectly working in searches but not in Dashboard. Its not picking value from time picker

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-20-2015 08:20 AM

You have to play around with the dollar-sign because it is used both by the XML and by the map command in the search. Try adding a second one to each occurrence.

0 Karma
Reply
Solved! Jump to solution

praspai
Path Finder
‎10-20-2015 11:25 PM

Thanks ...

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-26-2016 06:51 PM

You can also do it like this:

... | timechart [
|makeresults 
| addinfo 
| eval timepickerSpanSeconds=(info_max_time - info_min_time) 
| eval span=case(
   timepickerSpanSeconds>=31536000, "1m", 
   timepickerSpanSeconds>=604800, "1d", 
   timepickerSpanSeconds<60, "1s", 
   timepickerSpanSeconds<3600, "1m", 
   true(), "1h") 
| table span 
| format "" "" "" "" "" ""] count BY host

This solution avoids the whole dollar-sign problem entirely.

0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎09-15-2016 01:27 PM

modify this earliest=$info_min_time$ latest=$info_max_time$ to look like this earliest=$$info_min_time$$ latest=$$info_max_time$$

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-20-2015 08:18 AM

That's the best I have.

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...