Splunk Search

How to add dynamic timewrap to dashboard?

SShalaka
Engager

Hello everyone, 

I want to be able to have  a dynamic timewrap option on my dashboard. Based on the user input (of specific time range and a time wrap variable), i want some graphs on the dashboard to plot the events from that entered time range and also the events from the day before/ week before, based on the timewrap variable. Is this doable? 

I have attached some messy code; not sure if this is doable. Thank you for your advice! SplunkQ.JPG

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

The initial setting of earliest and latest needs to quote the tokens on the right hand side.

Here's an example, where I have put the search inside a panel, so you can see what's going on - you will see that unless you quote the latest=$input_time.latest$, you will get an error in the eval statement

See this example

<form>
  <label>Time</label>
  <fieldset submitButton="true" autoRun="false">
    <input type="time" token="input_time">
      <label>Incident</label>
      <default>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="dynamic_time">
      <label>Dynamic</label>
      <initialValue>1d</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <done>
            <set token="earliest">$result.earliest$</set>
            <set token="latest">$result.latest$</set>
            <set token="timewrap_earliest">$result.timewrap_earliest$</set>
            <set token="timewrap_latest">$result.timewrap_latest$</set>
          </done>
          <query>| makeresults
  | eval earliest="$input_time.earliest$"
  | eval latest="$input_time.latest$"
  | eval length=len("$input_time.earliest$")
  | eval earliest_unix=if(length&gt;10, "$input_time.earliest$", relative_time(now(), "$input_time.earliest$"))
  | eval latest_unix=if(length&gt;10, "$input_time.latest$", if("$input_time.latest$"=="now", relative_time(now(), "-0d"), relative_time(now(), "$input_time.latest$")))
  | eval timewrap_earliest=case("$dynamic_time$"=="1d", earliest_unix-86400, "$dynamic_time$"=="1w", earliest_unix-604800)
  | eval timewrap_latest=case("$dynamic_time$"=="1d", latest_unix-86400, "$dynamic_time$"=="1w", latest_unix-604800)
``` For display only ```
| eval eu=strftime(earliest_unix, "%F %T")
| eval lu=strftime(latest_unix, "%F %T")
| eval twe=strftime(timewrap_earliest, "%F %T")
| eval twl=strftime(timewrap_latest, "%F %T")
| table _time earliest latest earliest_unix latest_unix timewrap_earliest timewrap_latest eu lu twe twl</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
      <html>
  <h1>earliest=$earliest$</h1>
  <h1>latest=$latest$</h1>
  <h1>timewrap_earliest=$timewrap_earliest$</h1>
  <h1>timewrap_latest=$timewrap_latest$</h1>
  <h1>input_time.earliest=$input_time.earliest$</h1>
  <h1>input_time.latest=$input_time.latest$</h1>
      </html>
    </panel>
  </row>
</form>

View solution in original post

0 Karma

bowesmana
SplunkTrust
SplunkTrust

You can't use variables from the top part of the search in the append subsearch.  Subsearches run before the main search.

The solution is to do the earliest and latest calculations in a global search in the dashboard that is triggered from the user input and then set tokens based on that result in its <done> clause. Then those tokens can be used in this main search, which would then look something like

index=* other_criteria ((earliest=$earliest$ latest=$latest$) OR (earliest=$timewrap_earliest$ latest=$timewrap_latest$))
| rex...
| timechart...

Global search could look something like

<search>
  <query>
| makeresults
| eval earliest=calc_earliest...
| eval latest=calc_latest...
| eval timewrap_earliest=calc_timewrap_earliest...
| eval timewrap_latest=calc_timewrap_latest...
  </query>
  <done>
    <set token="earliest">$result.earliest$</set>
    <set token="latest">$result.latest$</set>
    <set token="timewrap_earliest">$result.timewrap_earliest$</set>
    <set token="timewrap_latest">$result.timewrap_latest$</set>
  </done>
</search>

Hope this helps

 

0 Karma

SShalaka
Engager

Hello @bowesmana thanks so much for taking the time to reply to my message, I am grateful. I have been messing around with the code but keep getting stuck at one point. I took your advice and created a global search, but since this base search needs to run based off a user input, it does not seem to work for me. 

When I put this search below the fieldset, it just automatically jumps to the top when I save the dashboard, and hence does not have access to the input values from the user. Is there something obvious I am missing or is there a solution for this?

 

splunkQ2.JPG

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

The order in the XML file is not significant, i.e. the global <search> would normally be at the top of the XML anyway.

If your fieldset input has a token input_time then this will be available to the search - do you have 'search when changed' on the input?

To diagnose tokens, you can create a simple HTML panel that shows the token values, e.g.

<row>
  <panel>
    <html>
<h1>earliest=$earliest$</h1>
<h1>latest=$latest$</h1>
<h1>timewrap_earliest=$timewrap_earliest$</h1>
<h1>timewrap_latest=$timewrap_latest$</h1>
<h1>input_time.earliest=$input_time.earliest$</h1>
<h1>input_time.latest=$input_time.latest$</h1>
    </html>
  </panel>
</row>

this should show you what is going on as you change the time picker setting

0 Karma

SShalaka
Engager

Hi @bowesmana, I have "search when changed" set to false. Does this matter? I tried out the html panel and this is the result I get: splunkQ3.JPG

 and this is the source: 

splunkQ4.JPG

Not sure where I am messing up; think I am missing something small..

0 Karma

bowesmana
SplunkTrust
SplunkTrust

The initial setting of earliest and latest needs to quote the tokens on the right hand side.

Here's an example, where I have put the search inside a panel, so you can see what's going on - you will see that unless you quote the latest=$input_time.latest$, you will get an error in the eval statement

See this example

<form>
  <label>Time</label>
  <fieldset submitButton="true" autoRun="false">
    <input type="time" token="input_time">
      <label>Incident</label>
      <default>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="dynamic_time">
      <label>Dynamic</label>
      <initialValue>1d</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <done>
            <set token="earliest">$result.earliest$</set>
            <set token="latest">$result.latest$</set>
            <set token="timewrap_earliest">$result.timewrap_earliest$</set>
            <set token="timewrap_latest">$result.timewrap_latest$</set>
          </done>
          <query>| makeresults
  | eval earliest="$input_time.earliest$"
  | eval latest="$input_time.latest$"
  | eval length=len("$input_time.earliest$")
  | eval earliest_unix=if(length&gt;10, "$input_time.earliest$", relative_time(now(), "$input_time.earliest$"))
  | eval latest_unix=if(length&gt;10, "$input_time.latest$", if("$input_time.latest$"=="now", relative_time(now(), "-0d"), relative_time(now(), "$input_time.latest$")))
  | eval timewrap_earliest=case("$dynamic_time$"=="1d", earliest_unix-86400, "$dynamic_time$"=="1w", earliest_unix-604800)
  | eval timewrap_latest=case("$dynamic_time$"=="1d", latest_unix-86400, "$dynamic_time$"=="1w", latest_unix-604800)
``` For display only ```
| eval eu=strftime(earliest_unix, "%F %T")
| eval lu=strftime(latest_unix, "%F %T")
| eval twe=strftime(timewrap_earliest, "%F %T")
| eval twl=strftime(timewrap_latest, "%F %T")
| table _time earliest latest earliest_unix latest_unix timewrap_earliest timewrap_latest eu lu twe twl</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
      <html>
  <h1>earliest=$earliest$</h1>
  <h1>latest=$latest$</h1>
  <h1>timewrap_earliest=$timewrap_earliest$</h1>
  <h1>timewrap_latest=$timewrap_latest$</h1>
  <h1>input_time.earliest=$input_time.earliest$</h1>
  <h1>input_time.latest=$input_time.latest$</h1>
      </html>
    </panel>
  </row>
</form>
0 Karma

SShalaka
Engager

Hi @bowesmana yes I see where I was wrong. It works perfectly now, thanks so much 😊

0 Karma

bowesmana
SplunkTrust
SplunkTrust

oh, and as for the 'wrapping', instead of adding _time to bring it in line with the current search, just use the timewrap command, which does that for you

 

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...