Splunk Search
Highlighted

How do I get the time span (span=X) in a search to automatically adjust depending on the time picker value chosen?

Path Finder

Hi,

I want the time span in a search to adjust based upon the time picker value.

i.e.

time picker is day, then span=1h
month, then span=1d
year, then span=1month

thanks ..

0 Karma
Highlighted

Re: How do I get the time span (span=X) in a search to automatically adjust depending on the time picker value chosen?

SplunkTrust
SplunkTrust
0 Karma
Highlighted

Re: How do I get the time span (span=X) in a search to automatically adjust depending on the time picker value chosen?

Esteemed Legend

Like this:

| makeresults
| addinfo
| eval timepickerSpanSeconds=(info_max_time - info_min_time)
| eval spanToken=case(timepickerSpanSeconds>=31536000, "1m",
                      timepickerSpanSeconds>=604800,   "1d",
                      timepickerSpanSeconds<60,        "1s",
                      timepickerSpanSeconds<3600,      "1m",
                      true(),                          "1h")
| map search="search index=* earliest=$info_min_time$ latest=$info_max_time$ | timechart count span=$spanToken$ BY host"

View solution in original post

Highlighted

Re: How do I get the time span (span=X) in a search to automatically adjust depending on the time picker value chosen?

Path Finder

Its perfectly working in searches but not in Dashboard. Its not picking value from time picker

0 Karma
Highlighted

Re: How do I get the time span (span=X) in a search to automatically adjust depending on the time picker value chosen?

Esteemed Legend

That's the best I have.

0 Karma
Highlighted

Re: How do I get the time span (span=X) in a search to automatically adjust depending on the time picker value chosen?

Esteemed Legend

You have to play around with the dollar-sign because it is used both by the XML and by the map command in the search. Try adding a second one to each occurrence.

0 Karma
Highlighted

Re: How do I get the time span (span=X) in a search to automatically adjust depending on the time picker value chosen?

Path Finder

Thanks ...

0 Karma
Highlighted

Re: How do I get the time span (span=X) in a search to automatically adjust depending on the time picker value chosen?

Esteemed Legend

You can also do it like this:

... | timechart [
|makeresults 
| addinfo 
| eval timepickerSpanSeconds=(info_max_time - info_min_time) 
| eval span=case(
   timepickerSpanSeconds>=31536000, "1m", 
   timepickerSpanSeconds>=604800, "1d", 
   timepickerSpanSeconds<60, "1s", 
   timepickerSpanSeconds<3600, "1m", 
   true(), "1h") 
| table span 
| format "" "" "" "" "" ""] count BY host

This solution avoids the whole dollar-sign problem entirely.

0 Karma
Highlighted

Re: How do I get the time span (span=X) in a search to automatically adjust depending on the time picker value chosen?

Motivator

modify this earliest=$info_min_time$ latest=$info_max_time$ to look like this earliest=$$info_min_time$$ latest=$$info_max_time$$

0 Karma