Splunk Search

How to add date range to dashboard panel title so that the date range in the title and search time both are same?

Renunaren
Loves-to-Learn Everything

Hi Team,

 

We have a splunk dashboard panel which has a requirement that is.

The dashboard panel has a title which needs a time range and that time range should be same as the time range which is used for the search time in the panel. Below are the snippets which can give an idea about the requirement.

Renunaren_0-1680370592760.png

The date range which has highlighted should be same as the below search time which has been used in the same panel.

Renunaren_1-1680370821374.png

 

Need help on the above requirement.

Labels (1)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

Your best bet is to use an explicit time picker in the dashboard, like this:

<form version="1.1">
  <label>Show time picker</label>
  <init>
    <input type="time" token="time_tok">
      <label>Pick a time range</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Search from &lt;$time_tok.earliest$&gt; to &lt;$time_tok.latest$&gt;</title>
      <table>
        <search>
          <query>index=_internal
| addinfo
| stats count by info_min_time info_max_time
| fieldformat info_min_time = strftime(info_min_time, "%F %H:%M:%S")
| fieldformat info_max_time = strftime(info_max_time, "%F %H:%M:%S")</query>
          <earliest>$time_tok.earliest$</earliest>
          <latest>$time_tok.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

You'll notice that it works best when the user selects from presets.  Otherwise the title will show epoc seconds of user's selection.  It is possible to convert general time range into human-friendly form using a "hidden" token calculation on the dashboard.  Bottom line is: There is no way to make title to show information that is pre-selected inside the panel.

0 Karma

Renunaren
Loves-to-Learn Everything

Hi User,

I have tried to use the above it is showing error like below while editing.

Renunaren_0-1680502989378.pngRenunaren_1-1680503007531.png

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

My mistake. (I was editing from a dashboard that had other inputs unrelated to this problem, then deleted some tags.)

<form version="1.1">
  <label>Show time picker</label>
  <fieldset>
    <input type="time" token="time_tok">
      <label>Pick a time range</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Search from &lt;$time_tok.earliest$&gt; to &lt;$time_tok.latest$&gt;</title>
      <table>
        <search>
          <query>index=_internal
| addinfo
| stats count by info_min_time info_max_time
| fieldformat info_min_time = strftime(info_min_time, "%F %H:%M:%S")
| fieldformat info_max_time = strftime(info_max_time, "%F %H:%M:%S")</query>
          <earliest>$time_tok.earliest$</earliest>
          <latest>$time_tok.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...