Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to pass a variable to timechart span
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to pass a variable to timechart span
Hi,
I'm trying to determine the span parameter for timechart dynamically, but I can't find a way to get it to work. What I want to do is run a search within a limited timeframe and then do a timechart which always returns 2 bars (so span=(duration/2).
My search might contain something like:
blabla earliest=03/16/2015:00:00:00 latest=03/17/2015:00:00:00 | eval duration=strptime("03/17/2015:00:00:00", "%m/%d/%Y:%H:%M:%S")-strptime("03/16/2015:00:00:00", "%m/%d/%Y:%H:%M:%S")
where duration returns the amount of seconds between earliest and latest.
I tried converting this duraion field to a string (without .0000) concatenated with "s", and then pass it to "timechart span=", but that doesn't seem to work.
Is there any way to do this and pass a variable to span?
I found some solutions with bins, but there seems to be no way to enforce at least and at most 2 bins for a timechart?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Sloefke,
Take a look Here :
http://answers.splunk.com/answers/223518/is-there-a-command-that-can-do-the-same-work-of-sp.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have try that search too, i mean
| timechart span=duration count you are right it seems as span do not consider variable as we did.
If you really want to do that you can think of a form with 2 panels and one input for the value of span:
1-the first panel gives you the value of duration that you can read and enter as input for the second panel that will use it as span value via a token.
2-the input type should be text so that you can enter a string like 3600s
This is and axample where i have a form and the possibility to enter the span.
if you like it just add the other panel that will show you the exact duration to use.
<form>
<label>duration</label>
<fieldset submitButton="false">
<input type="text" token="duration" searchWhenChanged="true"></input>
</fieldset>
<row>
<panel>
<chart>
<search>
<query>index=_internal|timechart span=$duration$ c</query>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">false</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, the base problem indeed stems from a dashboard I'm trying to create with a dynamic time picker input. I want to change the timechart span value depending on the time picker input.
I don't want to force my users into inputting the correct values for the span themselves, because it is used for internal calculation (trending script) and most of the users will not be very IT or Splunk-proficient.
Another workaround might be hidden tokens in the forms, where I calculate the correct values and then pass them on to the search string as $variables$. Not sure whether:
1) hidden tokens exist
2) things like strftime and strptime can be performed within the XML?
Edit: macros seem like a possible solution:
[get_timespan(2)]
args = e, l
definition = "floor(strptime(\"$l$\", \"%m/%d/%Y:%H:%M:%S\")-strptime(\"$e$\", \"%m/%d/%Y:%H:%M:%S\")).\"s\""
iseval = 1
This query actually returns a table with "86400s" in each row:
bla | eval span=`get_timespan("03/17/2015:00:00:00", "03/18/2015:00:00:00")` | table span
But this one fails:
bla | timechart span=`get_timespan("03/17/2015:00:00:00", "03/18/2015:00:00:00")` count
with error "The value for option span (floor(strptime(03/18/2015:00:00:00, %m/%d/%Y:%H:%M:%S)-strptime(03/17/2015:00:00:00, %m/%d/%Y:%H:%M:%S)).s) is invalid. ". I have no clue why it returns the string with the eval search, and it just expands the macro with timechart span. Getting a headache 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI, I WAS BUSY SO I DID NOT SEE YOUR COMMENT. I REALLY LIKE TO SEE THIS PROBLEM SOLVED.I WILL TAKE A LOOK AGAIN.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Sloefke ,
I'm seeing that you misused the span command
the syntax is span=duration not span (duration)
like for example span= 10s or span= 1h
try it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hm no, that's just the output from the error, I actually did a "| timechart span=duration count".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
OK if you are able to have the duration value which may be a float:
1- convert it into second using blablabla | eval duration=floor(duration)
this gives you duration without .00000
2- Now let's concatenate "s" using:
blablabla | eval duration=floor(duration)| eval duration= duration + "s"
3- Now the the value of duration is an integer folow by "s". you can now passed it to timechart span=duration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your answer. I already tried something like it with a rex, so I also tried your floor() suggestion.
If I do this:
earliest=03/16/2015:00:00:00 latest=03/17/2015:00:00:00 | eval duration=strptime("03/17/2015:00:00:00", "%m/%d/%Y:%H:%M:%S")-strptime("03/16/2015:00:00:00", "%m/%d/%Y:%H:%M:%S") | eval duration=floor(duration)."s" | table duration
I actually get a table with "86400s" in every row, which is what I want. But when I try to assign the duration variable to span, it only throws errors:
Error in 'timechart' command: The
value for option span (duration) is
invalid.
It looks like assigning variables to span isn't possible, unless I'm missing some syntax specifics?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
