Hi All,
I have a Splunk form where I am using 2 time pickers to come up with different times for 3 different joins in my search.
I, however, want to calculate the earliest in my XML to be 2w before any of the times.
As soon as I put eval in the change section, it doesn't work. I am, however, not sure of the syntax anyway.
I have modified the form to just include the bits that are relevant here.
Any help is appreciated.
<input type="time" token="baseline" searchWhenChanged="false">
<label>Time span for gettign healthy data</label>
<default>
<earliestTime>-20m</earliestTime>
<latestTime>-10m</latestTime>
</default>
</input>
<label>Time span for the issue</label>
<default>
<earliestTime>-10m</earliestTime>
<latestTime>now</latestTime>
</default>
<change>
<eval token="new_time">'issue.earliest'-2w</eval>
</change>
</input>
<panel>
<title>Stream interruption cosidering the baseline in previous 10mins</title>
<table>
<search>
<query>
"some query here"
</query>
<earliest>$new_time$</earliest>
<latest>$issue.latest$</latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">50</option>
</table>
</panel>
Try something like this
<input token="issue">
<change>
<eval token="new_time">if(isnum($issue.earliest$), relative_time($issue.earliest$, "-2w@w"), relative_time(relative_time(now(), $issue.earliest$), "-2w@w"))</eval>
</change>
</input>
Try something like this
<input token="issue">
<change>
<eval token="new_time">if(isnum($issue.earliest$), relative_time($issue.earliest$, "-2w@w"), relative_time(relative_time(now(), $issue.earliest$), "-2w@w"))</eval>
</change>
</input>
Thanks buddy. Works like a charm.