Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to combine Absolute and Relative time Modifiers in earliest/latest filter?

kevin_larsson
New Member
‎08-01-2023 11:36 AM

I have need of creating a dashboard that will compare 2 sets of data from different times. Thus, I need to bypass the time picker. I realize that I may do this by including an earliest=x latest=y statement in my search. What I am trying to do, is combine an absolute date with a relative statement. 
The reason is that the absolute date in each of the two charts needs to be a variable from a button on the dashboard, in the example I am trying to build, this is a deployment date. I want to search x number (another variable) of days before and after that deployment date. 

ex,

index=my_index source=my_source earliest=07/19/2023:00:00:00 latest=07/19/2023:23:59:59

In this example the deployment date is the 19th of July.  How I would I write this to be 07/19/2023:23:59:59 +/- x days so that I can make both the Absolute date itself, and the number of days a variable tied to dropdown buttons in the dashboard. 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

danspav
SplunkTrust
SplunkTrust
‎08-04-2023 12:42 AM

Hi @kevin_larsson,

Here's a dashboard you can use to get started:

danspav_0-1691134236667.png

It has 2 dropdowns:

Deployment Date - this just works out the past 7 days and lists them in MMM DD format (the token is in unix epoch format)

Range - This is a list of +/- day ranges to spread out your search. The token is a number indicating the days to add or subtract from your date.

Behind the scenes when you change one of the dropdowns there is an eval token that calculates the relative time difference between your selected time and the +/- range.

<change>
  <eval token="earliest">relative_time($deployment_date$,"-" . $form.range$ . "d")</eval>
  <eval token="latest">relative_time($deployment_date$,"+" . $form.range$ . "d")</eval>
</change>

$deployment_date$ is the value for the Date dropdown, and $form.range$ is the value for the +/- dropdown.

It would be easy enough to change the range to minutes, days, months etc.


Here's the full code for the dashboard:

<form version="1.1" theme="light">
  <label>My Dashboard</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="deployment_date" searchWhenChanged="true">
      <label>Deployment Date</label>
      <fieldForLabel>label</fieldForLabel>
      <fieldForValue>starttime</fieldForValue>
      <search>
        <query>|gentimes start=-7 | eval label = strftime(starttime,"%b %d")
| reverse</query>
        <earliest>-1m@m</earliest>
      </search>
      <change>
        <eval token="earliest">relative_time($deployment_date$,"-" . $form.range$ . "d")</eval>
        <eval token="latest">relative_time($deployment_date$,"+" . $form.range$ . "d")</eval>
      </change>
      <selectFirstChoice>true</selectFirstChoice>
    </input>
    <input type="dropdown" token="range" searchWhenChanged="true">
      <label>Range</label>
      <choice value="1">+/- 1 Day</choice>
      <choice value="2">+/- 2 Days</choice>
      <choice value="3">+/- 3 Days</choice>
      <choice value="4">+/- 4 Days</choice>
      <choice value="5">+/- 5 Days</choice>
      <default>1</default>
      <initialValue>1</initialValue>
      <change>
        <eval token="earliest">relative_time($form.deployment_date$,"-" . $form.range$ ."d")</eval>
        <eval token="latest">relative_time($form.deployment_date$,"+" . $form.range$ ."d")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval earliest=$earliest|s$, latest=$latest|s$
| eval earliest_readable=strftime(earliest,"%Y-%m-%d"), latest_readable=strftime(latest,"%Y-%m-%d")
| table earliest, earliest_readable, latest, latest_readable</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

 

Cheers,
Daniel

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...