I am doing an eval calculation to get a percent for uptime. I would like to get my value from the time picker, so that I can have a dynamic search.
Here is my eval statement:
| eval perc = tonumber(round(Minutes/43200*100,4))
I would like to replace 43200 with a token?
This value 43200 is how many Minutes in 30 days.
Thanks
@computemoore78 refer to one of my older answers to set token based on time range picker: https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html
On similar lines please try the following run anywhere with an independent search based on Time Picker input that sets the minutes token.
Alternatively, as suggested by @woodcock you can use the same search from | addinfo ...
in the queries where you want to have minutes based on time range picker used in that search. If you want this approach then it would be better if you move this piece of code to macro.
<form>
<label>Minutes as token based on Time Picker</label>
<!-- Independent Search for setting minutes for the selected time range -->
<search>
<query>| makeresults
| addinfo
| eval minutes=case(info_max_time!="+Infinity",floor((info_max_time-info_min_time)/60),true(),floor((strptime("1971/01/01","%Y/%m/%d")-info_min_time)/60))</query>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
<progress>
<set token="tokMinutes">$result.minutes$</set>
</progress>
</search>
<fieldset submitButton="false">
<input type="time" token="tokTime">
<label></label>
<default>
<earliest>-31d@d</earliest>
<latest>-1d@d-1s</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<html>
<div>tokMinutes: $tokMinutes$</div>
</html>
</panel>
</row>
</form>
The "cheater" way to do it is to add | addinfo
to the end of your search which will create fields info_min_time
and info_max_time
(among others).
I like this I am going to try it
What is the earliest event date for your search using 30 days window ?
It is 03/15 6:09pm and the latest is 03/15 6:49. I believe it's passing the time from the event for sure.
I would like it to pass the time from the time picker..
Is it a dashboard ? If yes you can use the tokens for time picker input. If it search or report it will be static anyways like converting 30 days into minutes. What is the context ?
It is a dashboard.
If your time input token name is field1 , then in your search
| eval time = $field1.latest$ - $field1.earliest$
So what does that look like here is my statement again.
| eval perc = tonumber(round(Minutes/43200*100,4))
I want to replace the 43200 with a Token from the Timepicker
What is 43200 difference in time or the latest time . If it’s difference in time you can use the above value of time variable which is difference of latest and earliest from time picker .
43200 is the number of minutes in a month
You can replace it with variable time which we calculated above. Also can you please share your dashboard xML , so I can see token name.
This did not work properly, when I passed it into my search it came back with 39.45 mins but the time picker is 30 days??
It seems like it getting the _time from the event not the Time picker
get the latest and earliest time using stats or eventstats, and subtract the two, this will give you time in seconds , divide by 60 for min.
<yoursearch> | stats earliest(_time) as earliest, latest(_time) as latest| eval time_in_sec= latest-earliest| eval time_in_min=time_in_sec/60