Splunk Search

How do you pass the time picker value into an eval calculation?

New Member

I am doing an eval calculation to get a percent for uptime. I would like to get my value from the time picker, so that I can have a dynamic search.

Here is my eval statement:

| eval perc = tonumber(round(Minutes/43200*100,4))  

I would like to replace 43200 with a token?

This value 43200 is how many Minutes in 30 days.

Thanks

0 Karma

SplunkTrust
SplunkTrust

@computemoore78 refer to one of my older answers to set token based on time range picker: https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

On similar lines please try the following run anywhere with an independent search based on Time Picker input that sets the minutes token.

Alternatively, as suggested by @woodcock you can use the same search from | addinfo ... in the queries where you want to have minutes based on time range picker used in that search. If you want this approach then it would be better if you move this piece of code to macro.

<form>
  <label>Minutes as token based on Time Picker</label>
  <!-- Independent Search for setting minutes for the selected time range -->
  <search>
    <query>| makeresults 
| addinfo
| eval minutes=case(info_max_time!="+Infinity",floor((info_max_time-info_min_time)/60),true(),floor((strptime("1971/01/01","%Y/%m/%d")-info_min_time)/60))</query>
    <earliest>$tokTime.earliest$</earliest>
    <latest>$tokTime.latest$</latest>
    <progress>
      <set token="tokMinutes">$result.minutes$</set>
    </progress>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="tokTime">
      <label></label>
      <default>
        <earliest>-31d@d</earliest>
        <latest>-1d@d-1s</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <div>tokMinutes: $tokMinutes$</div>
      </html>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Esteemed Legend

The "cheater" way to do it is to add | addinfo to the end of your search which will create fields info_min_time and info_max_time (among others).

New Member

I like this I am going to try it

0 Karma

Influencer

What is the earliest event date for your search using 30 days window ?

0 Karma

New Member

It is 03/15 6:09pm and the latest is 03/15 6:49. I believe it's passing the time from the event for sure.
I would like it to pass the time from the time picker..

0 Karma

Influencer

Is it a dashboard ? If yes you can use the tokens for time picker input. If it search or report it will be static anyways like converting 30 days into minutes. What is the context ?

0 Karma

New Member

It is a dashboard.

0 Karma

Influencer

If your time input token name is field1 , then in your search

| eval time = $field1.latest$ - $field1.earliest$

0 Karma

New Member

So what does that look like here is my statement again.
| eval perc = tonumber(round(Minutes/43200*100,4))
I want to replace the 43200 with a Token from the Timepicker

0 Karma

Influencer

What is 43200 difference in time or the latest time . If it’s difference in time you can use the above value of time variable which is difference of latest and earliest from time picker .

0 Karma

New Member

43200 is the number of minutes in a month

0 Karma

Influencer

You can replace it with variable time which we calculated above. Also can you please share your dashboard xML , so I can see token name.

0 Karma

New Member

This did not work properly, when I passed it into my search it came back with 39.45 mins but the time picker is 30 days??

0 Karma

New Member

It seems like it getting the _time from the event not the Time picker

0 Karma

Influencer

get the latest and earliest time using stats or eventstats, and subtract the two, this will give you time in seconds , divide by 60 for min.

<yoursearch> | stats earliest(_time) as earliest, latest(_time) as latest| eval time_in_sec= latest-earliest| eval time_in_min=time_in_sec/60
0 Karma