Splunk Search

How to pass a variable to timechart span

Sloefke
Path Finder

Hi,

I'm trying to determine the span parameter for timechart dynamically, but I can't find a way to get it to work. What I want to do is run a search within a limited timeframe and then do a timechart which always returns 2 bars (so span=(duration/2).

My search might contain something like:

blabla earliest=03/16/2015:00:00:00 latest=03/17/2015:00:00:00 | eval duration=strptime("03/17/2015:00:00:00", "%m/%d/%Y:%H:%M:%S")-strptime("03/16/2015:00:00:00", "%m/%d/%Y:%H:%M:%S")

where duration returns the amount of seconds between earliest and latest.

I tried converting this duraion field to a string (without .0000) concatenated with "s", and then pass it to "timechart span=", but that doesn't seem to work.

Is there any way to do this and pass a variable to span?

I found some solutions with bins, but there seems to be no way to enforce at least and at most 2 bins for a timechart?

stephane_cyrill
Builder
0 Karma

stephane_cyrill
Builder

I have try that search too, i mean

| timechart span=duration count you are right it seems as span do not consider variable as we did.

If you really want to do that you can think of a form with 2 panels and one input for the value of span:

1-the first panel gives you the value of duration that you can read and enter as input for the second panel that will use it as span value via a token.

2-the input type should be text so that you can enter a string like 3600s

This is and axample where i have a form and the possibility to enter the span.
if you like it just add the other panel that will show you the exact duration to use.

<form>
  <label>duration</label>
  <fieldset submitButton="false">
    <input type="text" token="duration" searchWhenChanged="true"></input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal|timechart span=$duration$ c</query>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">false</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
</form>
0 Karma

Sloefke
Path Finder

Well, the base problem indeed stems from a dashboard I'm trying to create with a dynamic time picker input. I want to change the timechart span value depending on the time picker input.

I don't want to force my users into inputting the correct values for the span themselves, because it is used for internal calculation (trending script) and most of the users will not be very IT or Splunk-proficient.

Another workaround might be hidden tokens in the forms, where I calculate the correct values and then pass them on to the search string as $variables$. Not sure whether:
1) hidden tokens exist
2) things like strftime and strptime can be performed within the XML?

Edit: macros seem like a possible solution:

[get_timespan(2)]
args = e, l
definition = "floor(strptime(\"$l$\", \"%m/%d/%Y:%H:%M:%S\")-strptime(\"$e$\", \"%m/%d/%Y:%H:%M:%S\")).\"s\""
iseval = 1

This query actually returns a table with "86400s" in each row:

bla | eval span=`get_timespan("03/17/2015:00:00:00", "03/18/2015:00:00:00")` | table span

But this one fails:

bla | timechart span=`get_timespan("03/17/2015:00:00:00", "03/18/2015:00:00:00")` count

with error "The value for option span (floor(strptime(03/18/2015:00:00:00, %m/%d/%Y:%H:%M:%S)-strptime(03/17/2015:00:00:00, %m/%d/%Y:%H:%M:%S)).s) is invalid. ". I have no clue why it returns the string with the eval search, and it just expands the macro with timechart span. Getting a headache 🙂

0 Karma

stephane_cyrill
Builder

HI, I WAS BUSY SO I DID NOT SEE YOUR COMMENT. I REALLY LIKE TO SEE THIS PROBLEM SOLVED.I WILL TAKE A LOOK AGAIN.

0 Karma

stephane_cyrill
Builder

Hello Sloefke ,
I'm seeing that you misused the span command
the syntax is span=duration not span (duration)
like for example span= 10s or span= 1h
try it.

0 Karma

Sloefke
Path Finder

Hm no, that's just the output from the error, I actually did a "| timechart span=duration count".

0 Karma

stephane_cyrill
Builder

Hi ,
OK if you are able to have the duration value which may be a float:

1- convert it into second using blablabla | eval duration=floor(duration)
this gives you duration without .00000

2- Now let's concatenate "s" using:

blablabla | eval duration=floor(duration)| eval duration= duration + "s"

3- Now the the value of duration is an integer folow by "s". you can now passed it to timechart span=duration

0 Karma

Sloefke
Path Finder

Thanks for your answer. I already tried something like it with a rex, so I also tried your floor() suggestion.

If I do this:

earliest=03/16/2015:00:00:00 latest=03/17/2015:00:00:00 | eval duration=strptime("03/17/2015:00:00:00", "%m/%d/%Y:%H:%M:%S")-strptime("03/16/2015:00:00:00", "%m/%d/%Y:%H:%M:%S") | eval duration=floor(duration)."s" | table duration

I actually get a table with "86400s" in every row, which is what I want. But when I try to assign the duration variable to span, it only throws errors:

Error in 'timechart' command: The
value for option span (duration) is
invalid.

It looks like assigning variables to span isn't possible, unless I'm missing some syntax specifics?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...