Splunk Search

How to pass a variable to timechart span

Path Finder


I'm trying to determine the span parameter for timechart dynamically, but I can't find a way to get it to work. What I want to do is run a search within a limited timeframe and then do a timechart which always returns 2 bars (so span=(duration/2).

My search might contain something like:

blabla earliest=03/16/2015:00:00:00 latest=03/17/2015:00:00:00 | eval duration=strptime("03/17/2015:00:00:00", "%m/%d/%Y:%H:%M:%S")-strptime("03/16/2015:00:00:00", "%m/%d/%Y:%H:%M:%S")

where duration returns the amount of seconds between earliest and latest.

I tried converting this duraion field to a string (without .0000) concatenated with "s", and then pass it to "timechart span=", but that doesn't seem to work.

Is there any way to do this and pass a variable to span?

I found some solutions with bins, but there seems to be no way to enforce at least and at most 2 bins for a timechart?

0 Karma


I have try that search too, i mean

| timechart span=duration count you are right it seems as span do not consider variable as we did.

If you really want to do that you can think of a form with 2 panels and one input for the value of span:

1-the first panel gives you the value of duration that you can read and enter as input for the second panel that will use it as span value via a token.

2-the input type should be text so that you can enter a string like 3600s

This is and axample where i have a form and the possibility to enter the span.
if you like it just add the other panel that will show you the exact duration to use.

  <fieldset submitButton="false">
    <input type="text" token="duration" searchWhenChanged="true"></input>
          <query>index=_internal|timechart span=$duration$ c</query>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">false</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
0 Karma

Path Finder

Well, the base problem indeed stems from a dashboard I'm trying to create with a dynamic time picker input. I want to change the timechart span value depending on the time picker input.

I don't want to force my users into inputting the correct values for the span themselves, because it is used for internal calculation (trending script) and most of the users will not be very IT or Splunk-proficient.

Another workaround might be hidden tokens in the forms, where I calculate the correct values and then pass them on to the search string as $variables$. Not sure whether:
1) hidden tokens exist
2) things like strftime and strptime can be performed within the XML?

Edit: macros seem like a possible solution:

args = e, l
definition = "floor(strptime(\"$l$\", \"%m/%d/%Y:%H:%M:%S\")-strptime(\"$e$\", \"%m/%d/%Y:%H:%M:%S\")).\"s\""
iseval = 1

This query actually returns a table with "86400s" in each row:

bla | eval span=`get_timespan("03/17/2015:00:00:00", "03/18/2015:00:00:00")` | table span

But this one fails:

bla | timechart span=`get_timespan("03/17/2015:00:00:00", "03/18/2015:00:00:00")` count

with error "The value for option span (floor(strptime(03/18/2015:00:00:00, %m/%d/%Y:%H:%M:%S)-strptime(03/17/2015:00:00:00, %m/%d/%Y:%H:%M:%S)).s) is invalid. ". I have no clue why it returns the string with the eval search, and it just expands the macro with timechart span. Getting a headache 🙂

0 Karma



0 Karma


Hello Sloefke ,
I'm seeing that you misused the span command
the syntax is span=duration not span (duration)
like for example span= 10s or span= 1h
try it.

0 Karma

Path Finder

Hm no, that's just the output from the error, I actually did a "| timechart span=duration count".

0 Karma


Hi ,
OK if you are able to have the duration value which may be a float:

1- convert it into second using blablabla | eval duration=floor(duration)
this gives you duration without .00000

2- Now let's concatenate "s" using:

blablabla | eval duration=floor(duration)| eval duration= duration + "s"

3- Now the the value of duration is an integer folow by "s". you can now passed it to timechart span=duration

0 Karma

Path Finder

Thanks for your answer. I already tried something like it with a rex, so I also tried your floor() suggestion.

If I do this:

earliest=03/16/2015:00:00:00 latest=03/17/2015:00:00:00 | eval duration=strptime("03/17/2015:00:00:00", "%m/%d/%Y:%H:%M:%S")-strptime("03/16/2015:00:00:00", "%m/%d/%Y:%H:%M:%S") | eval duration=floor(duration)."s" | table duration

I actually get a table with "86400s" in every row, which is what I want. But when I try to assign the duration variable to span, it only throws errors:

Error in 'timechart' command: The
value for option span (duration) is

It looks like assigning variables to span isn't possible, unless I'm missing some syntax specifics?

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...