- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear experts
In my dashboard I have a time picker providing the token t_time.
My search
index="abc" search_name="def" [| makeresults
| eval earliest=relative_time($t_time.latest$,"-1d@d")
| eval latest=relative_time($t_time.latest$,"@d")
| fields earliest latest
| format]
| table _time zbpIdentifierShould pick up that token and make sure only data is displayed from the last full day before t_time.latest.
2024-12-12 13:13 should be converted to
earliest = 2024-12-11 00:00
latest = 2024-12-11 23:59:59 (or 2024-12-12 00:00)
As long really two dates are selected in the time picker, all works as expected.
If e.g. last 7 days is selected the search fails, no data is returned.
I'm guessing that in relative mode $t_time.latest$ is represented with something like "now", which causes problems for the relative_date function.
So the question is: how to detect this "now" and turn it into a date understood by relative_date?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Ste The solution is to use addinfo, if you make the search based on the time picker, then use addinfo in the subsearch, it will generate info_max_time, which is the normalised end epoch time for the time picker, then you can use that in your subsearch instead, i.e.
index="_audit" [| makeresults
| addinfo
| eval earliest=relative_time(info_max_time,"-1d@d")
| eval latest=relative_time(info_max_time,"@d")
| fields earliest latest
| format]
| table _time user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Ste The solution is to use addinfo, if you make the search based on the time picker, then use addinfo in the subsearch, it will generate info_max_time, which is the normalised end epoch time for the time picker, then you can use that in your subsearch instead, i.e.
index="_audit" [| makeresults
| addinfo
| eval earliest=relative_time(info_max_time,"-1d@d")
| eval latest=relative_time(info_max_time,"@d")
| fields earliest latest
| format]
| table _time user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@bowesmana Exactly what I was looking for, thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure how to interpret your question. Do you mean $t_time.latest$ comes from an input selector?( @isoutamo's link shows how to retrieve the value after a search is complete.) For this, one way to handle it is to test its value before format.
index="abc" search_name="def"
[| makeresults
| eval earliest=relative_time($t_time.latest$,"-1d@d")
| eval latest=if("t_time.latest$" == "now", now(),
relative_time($t_time.latest$,"@d"))
| fields earliest latest
| format]
| table _time zbpIdentifier- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@yuanliu $t_time.latest$ comes from an input selector. As I wanted to have always the @d timestamp your proposal must be changed slightly.
Below is my untested proposal how a solution could look like based on a if evaluation:
index="abc" search_name="def"
[| makeresults
| eval earliest=relative_time($t_time.latest$,"-1d@d")
| eval latest=if("t_time.latest$" == "now", relative_time(now(), "@d")
relative_time($t_time.latest$,"@d"))
| fields earliest latest
| format]
| table _time zbpIdentifierHowever, for me the @bowesmana proposal is better understandable.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This should show how it has done https://community.splunk.com/t5/Splunk-Search/Converting-d-for-eval-command/m-p/499983
r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is one old example which probably helps you to understand how to use it?
<form version="1.1">
<label>Time Picker Control</label>
<init>
<set token="earliest">-24h</set>
<set token="latest">now</set>
</init>
<fieldset submitButton="false">
<input type="time" token="time_range">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
<change>
<eval token="earliest">if(relative_time</eval>
</change>
</input>
</fieldset>
<row>
<panel>
<title>Simple timechart</title>
<chart>
<title>$ranges$</title>
<search>
<query>index=_audit
| timechart span=1h count
</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
<panel>
<title>Calculation panel that limits historical range</title>
<table>
<search>
<done>
<set token="earliest">$result.earliest$</set>
<set token="latest">$result.info_max_time$</set>
<set token="ranges">$result.ranges$</set>
</done>
<query>| makeresults
| addinfo
| eval min_time=now()-(30*86400)
| eval earliest=if(info_min_time < min_time, min_time, info_min_time)
| eval initial_range="Time Picker range: ".strftime(info_min_time, "%F %T")." to ".strftime(info_max_time, "%F %T")
| eval limited_range="Search range ".strftime(earliest, "%F %T")." to ".strftime(info_max_time, "%F %T")
| eval ranges=mvappend(initial_range, limited_range)
| table ranges earliest info_min_time info_max_time
</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
</search>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>I cannot remember who has present it and when, probably here or Slack?
