I am doing an eval calculation to get a percent for uptime. I would like to get my value from the time picker, so that I can have a dynamic search.
Here is my eval statement:
| eval perc = tonumber(round(Minutes/43200*100,4))
I would like to replace 43200 with a token?
This value 43200 is how many Minutes in 30 days.
@computemoore78 refer to one of my older answers to set token based on time range picker: https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html
On similar lines please try the following run anywhere with an independent search based on Time Picker input that sets the minutes token.
Alternatively, as suggested by @woodcock you can use the same search from
| addinfo ... in the queries where you want to have minutes based on time range picker used in that search. If you want this approach then it would be better if you move this piece of code to macro.
<form> <label>Minutes as token based on Time Picker</label> <!-- Independent Search for setting minutes for the selected time range --> <search> <query>| makeresults | addinfo | eval minutes=case(info_max_time!="+Infinity",floor((info_max_time-info_min_time)/60),true(),floor((strptime("1971/01/01","%Y/%m/%d")-info_min_time)/60))</query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> <progress> <set token="tokMinutes">$result.minutes$</set> </progress> </search> <fieldset submitButton="false"> <input type="time" token="tokTime"> <label></label> <default> <earliest>-31d@d</earliest> <latest>-1d@d-1s</latest> </default> </input> </fieldset> <row> <panel> <html> <div>tokMinutes: $tokMinutes$</div> </html> </panel> </row> </form>
get the latest and earliest time using stats or eventstats, and subtract the two, this will give you time in seconds , divide by 60 for min.
<yoursearch> | stats earliest(_time) as earliest, latest(_time) as latest| eval time_in_sec= latest-earliest| eval time_in_min=time_in_sec/60