Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my XML to use a timepicker output to c...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nehal_shah
Explorer
11-22-2016
04:38 AM
Hi All,
I have a Splunk form where I am using 2 time pickers to come up with different times for 3 different joins in my search.
I, however, want to calculate the earliest in my XML to be 2w before any of the times.
As soon as I put eval in the change section, it doesn't work. I am, however, not sure of the syntax anyway.
I have modified the form to just include the bits that are relevant here.
Any help is appreciated.
<input type="time" token="baseline" searchWhenChanged="false">
<label>Time span for gettign healthy data</label>
<default>
<earliestTime>-20m</earliestTime>
<latestTime>-10m</latestTime>
</default>
</input>
<label>Time span for the issue</label>
<default>
<earliestTime>-10m</earliestTime>
<latestTime>now</latestTime>
</default>
<change>
<eval token="new_time">'issue.earliest'-2w</eval>
</change>
</input>
<panel>
<title>Stream interruption cosidering the baseline in previous 10mins</title>
<table>
<search>
<query>
"some query here"
</query>
<earliest>$new_time$</earliest>
<latest>$issue.latest$</latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">50</option>
</table>
</panel>
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
11-22-2016
06:59 AM
Try something like this
<input token="issue">
<change>
<eval token="new_time">if(isnum($issue.earliest$), relative_time($issue.earliest$, "-2w@w"), relative_time(relative_time(now(), $issue.earliest$), "-2w@w"))</eval>
</change>
</input>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
11-22-2016
06:59 AM
Try something like this
<input token="issue">
<change>
<eval token="new_time">if(isnum($issue.earliest$), relative_time($issue.earliest$, "-2w@w"), relative_time(relative_time(now(), $issue.earliest$), "-2w@w"))</eval>
</change>
</input>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nehal_shah
Explorer
11-22-2016
09:40 AM
Thanks buddy. Works like a charm.
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
