How to get the timestamp of the most recent event ...

elekanne · ‎07-29-2015

I want to have the (sub)title of a pie chart changed to something like "value since 29 July 2015 21:58". That timestamp should come from the most recent event seen in the search for that pie chart. I'm not interested to see when this pie chart is refreshed, but more the timestamp of the most recent event.

Pie chart is using scheduled saved search at the moment.
At the moment I'm using simple XML.

jeffland · ‎08-10-2015

You could do this with javascript. You would have to include the time in your results, e.g. modify your search to something like

... | stats count latest(_time) by something

In your .js, you would need something like the following:

// get the search manager
var search = splunkjs.mvc.Components.getInstance("pie");

// get its results
var myResults = search.data("results");
var resultArray = [];
myResults.on("data", function() {
    resultArray = myResults.data().rows;
});

// add info when opening tooltip (delegate event listening)
$("#chart").on("mouseover", ".panel-body > div > div:nth-child(2) > div > svg g.highcharts-tracker", function(){
    // get title to compare which series of the chart we're looking at
    var title = $("table.highcharts-tooltip > tbody > tr:nth-child(1) > td:nth-child(2)").text();
    // calculate date based on corresponding series
    var d1 = new Date();
    for (var i = 0; i < resultArray.length; i++){
        if (title == resultArray[i][0]){
            d1.setTime(resultArray[i][2] * 1000);
            break;
        }
    }
    var time = d1.getDate() + '.'+ (d1.getMonth() + 1) + '.' + " " + d1.getHours() + ":" + d1.getMinutes();
    // add (or change) the date shown in the tooltip
    var text = '<tr class="unique"><td style="text-align: left; color: #cccccc; max-width: 663.9180019451253px;">value since</td><td style="text-align: right; color: #ffffff; max-width: 572.0819980548747px;">';
    if ($("table.highcharts-tooltip > tbody").find("tr.unique").length == 0) {
        $("table.highcharts-tooltip > tbody").append(t+time+'</td></tr>');
    } else {
        $("table.highcharts-tooltip > tbody > tr.unique").replaceWith(t+time+'</td></tr>');
    }

    // re-calculate the size of the black box behind the text
    var height = $("table.highcharts-tooltip").height();
    var width = $("table.highcharts-tooltip").width();
    var node = $("g.highcharts-tooltip")[0];
    var bbox = node.getBBox();
    var w = width / bbox.width;
    var h = height / bbox.height;
    var scalex = w*1.15, scaley = h*1.15;
    var scalestr = scalex + ',' + scaley;
    var regex = /(\w+\(\d+\,\d+\))/; // one way to make sure we only add scale once
    node.setAttribute('transform',regex.exec(node.getAttribute("transform"))[0]+'scale('+scalestr+')');
});

This is just a rough working example, you would have to adjust parts here and there to make it look like you want it. It assumes that your search has an id "pie" and your chart has an id "chart", and that your results look like this:

something | count | latest(_time)

If you need help with it, feel free to ask.

woodcock · ‎08-03-2015

You cannot do this with basic XML charting so you will have to do this with Django. Read more about it here:

http://docs.splunk.com/Documentation/Splunk/6.2.4/Viz/WebFramework

somesoni2 · ‎07-29-2015

There is no option in the pie chart to set the label/title based on a search result field. The workaround that you can try is to add a single valued panel on top of the pie chart and make the search query of this single valued panel to get the latest event timestamp to show.

elekanne · ‎07-29-2015

Thanks for the reply. I've to look into other type of graphs.

How to get the timestamp of the most recent event in the title of a pie chart?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms