Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you pass the time picker value into an eval calculation?

computemoore78
New Member
‎03-29-2019 02:00 PM

I am doing an eval calculation to get a percent for uptime. I would like to get my value from the time picker, so that I can have a dynamic search.

Here is my eval statement:

| eval perc = tonumber(round(Minutes/43200*100,4))

I would like to replace 43200 with a token?

This value 43200 is how many Minutes in 30 days.

Thanks

0 Karma
Reply

niketn
Legend
‎04-01-2019 10:42 AM

@computemoore78 refer to one of my older answers to set token based on time range picker: https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

On similar lines please try the following run anywhere with an independent search based on Time Picker input that sets the minutes token.

Alternatively, as suggested by @woodcock you can use the same search from | addinfo ... in the queries where you want to have minutes based on time range picker used in that search. If you want this approach then it would be better if you move this piece of code to macro.

<form>
  <label>Minutes as token based on Time Picker</label>
  <!-- Independent Search for setting minutes for the selected time range -->
  <search>
    <query>| makeresults 
| addinfo
| eval minutes=case(info_max_time!="+Infinity",floor((info_max_time-info_min_time)/60),true(),floor((strptime("1971/01/01","%Y/%m/%d")-info_min_time)/60))</query>
    <earliest>$tokTime.earliest$</earliest>
    <latest>$tokTime.latest$</latest>
    <progress>
      <set token="tokMinutes">$result.minutes$</set>
    </progress>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="tokTime">
      <label></label>
      <default>
        <earliest>-31d@d</earliest>
        <latest>-1d@d-1s</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <div>tokMinutes: $tokMinutes$</div>
      </html>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

woodcock
Esteemed Legend
‎03-31-2019 09:06 PM

The "cheater" way to do it is to add | addinfo to the end of your search which will create fields info_min_time and info_max_time (among others).

Reply

computemoore78
New Member
‎04-01-2019 09:01 AM

I like this I am going to try it

0 Karma
Reply

Vijeta
Influencer
‎03-29-2019 03:36 PM

What is the earliest event date for your search using 30 days window ?

0 Karma
Reply

computemoore78
New Member
‎03-29-2019 03:41 PM

It is 03/15 6:09pm and the latest is 03/15 6:49. I believe it's passing the time from the event for sure.
I would like it to pass the time from the time picker..

0 Karma
Reply

Vijeta
Influencer
‎03-29-2019 03:44 PM

Is it a dashboard ? If yes you can use the tokens for time picker input. If it search or report it will be static anyways like converting 30 days into minutes. What is the context ?

0 Karma
Reply

computemoore78
New Member
‎03-29-2019 03:49 PM

It is a dashboard.

0 Karma
Reply

Vijeta
Influencer
‎03-29-2019 03:54 PM

If your time input token name is field1 , then in your search

| eval time = $field1.latest$ - $field1.earliest$

0 Karma
Reply

computemoore78
New Member
‎03-29-2019 04:16 PM

So what does that look like here is my statement again.
| eval perc = tonumber(round(Minutes/43200*100,4))
I want to replace the 43200 with a Token from the Timepicker

0 Karma
Reply

Vijeta
Influencer
‎03-29-2019 04:36 PM

What is 43200 difference in time or the latest time . If it’s difference in time you can use the above value of time variable which is difference of latest and earliest from time picker .

0 Karma
Reply

computemoore78
New Member
‎04-01-2019 08:53 AM

43200 is the number of minutes in a month

0 Karma
Reply

Vijeta
Influencer
‎04-01-2019 09:23 AM

You can replace it with variable time which we calculated above. Also can you please share your dashboard xML , so I can see token name.

0 Karma
Reply

computemoore78
New Member
‎03-29-2019 03:17 PM

This did not work properly, when I passed it into my search it came back with 39.45 mins but the time picker is 30 days??

0 Karma
Reply

computemoore78
New Member
‎03-29-2019 03:18 PM

It seems like it getting the _time from the event not the Time picker

0 Karma
Reply

Vijeta
Influencer
‎03-29-2019 02:42 PM

get the latest and earliest time using stats or eventstats, and subtract the two, this will give you time in seconds , divide by 60 for min.

<yoursearch> | stats earliest(_time) as earliest, latest(_time) as latest| eval time_in_sec= latest-earliest| eval time_in_min=time_in_sec/60
0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...