Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to pass earliest and latest based on week number under drilldown

sangs8788
Communicator
‎09-01-2020 01:12 AM

Hi 

I have input fields which has value as week number. Based on the Weeknum selected, how do I pass on the earliest and latest date under my drilldown.

Here is my input field

 

<input type="dropdown" token="weeknum" searchWhenChanged="true">

 

And here is my drilldown section from one of the dashboard panel where time range gets passed to another page (sre_module_summary) in the name of token selectedearliest & selectedlatest. How to get the values for the token based on the weeknum selected from input panel.

 

<drilldown target="_blank">
<eval token="Module">$click.value$</eval>
<eval token="HostType">$HostType$</eval>
<link>
<![CDATA[/app/sre/sre_module_summary?form.Module=$Module$&host=$HostType$&form.timerange.earliest=$selectedearliest$&form.timerange.latest=$selectedlatest$]]>
</link>
</drilldown>

 

Could someone please help.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎09-03-2020 12:45 AM

@sangs8788 your ask seems very similar to one of my previous answers, however, you need to derive your dashboard tokens based on week of the year. https://community.splunk.com/t5/Getting-Data-In/time-range-to-display-count-of-weekly/td-p/312588

If you add the following independent search to your dashboard, assuming the token for Week of the Year is called $tokWeek$, it will set $EarliestTime$ and $LatestTime$ as two tokens. You may not need fieldformat as that is for run anywhere example for illustration later.

 

        <search>
          <query>| makeresults
| fields - _time
| eval WeekOfTheYear=$tokWeek$-1,EarliestTimeModifier="+".WeekOfTheYear."w@w0",LatestTimeModifier="+$tokWeek$w@w6",FirstDayOfYear=replace(relative_time(now(),"@y"),"\.\d+","")

| eval EarliestTime=relative_time(FirstDayOfYear,EarliestTimeModifier),
       LatestTime=relative_time(FirstDayOfYear,LatestTimeModifier)

| fields WeekOfTheYear FirstDayOfYear EarliestTimeModifier LatestTimeModifier EarliestTime LatestTime
| fieldformat FirstDayOfYear=strftime(FirstDayOfYear,"%Y/%m/%d")
| fieldformat EarliestTime=strftime(EarliestTime,"%Y/%m/%d")
| fieldformat LatestTime=strftime(LatestTime,"%Y/%m/%d")</query>
          <earliest>-1s</earliest>
          <latest>0</latest>
          <done>
            <set token="EarliestTime">$result.EarliestTime$</set>
            <set token="LatestTime">$result.LatestTime$</set>
          </done>
        </search>

 

Screen Shot 2020-09-03 at 11.23.29 AM.png

 Following is the Simple XML code for sample example dashboard above to test:

<form>
  <label>Week of The Year to time tokens</label>
  <!-- Independent Search to Set Current Week in Text Box -->
  <search>
    <done>
      <set token="CurrentWeekOfTheYear">$result.CurrentWeekOfTheYear$</set>
    </done>
    <query>| makeresults 
| fields - _time 
| eval CurrentWeekOfTheYear=strftime(now(),"%V")</query>
    <earliest>-1s</earliest>
    <latest>now</latest>
  </search>
  <fieldset submitButton="false">
    <input type="text" token="tokWeek" searchWhenChanged="true">
      <label>Enter Week Number (Current Week # by default)</label>
      <default>$CurrentWeekOfTheYear$</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Reference: https://www.tutorialspoint.com/python/time_strptime.htm</title>
      <html>
        <div>
          <pre>
%V - The ISO 8601 week number of the current year (01 to 53), where week 1 is the first week that has at least 4 days in the current year, and with Monday as the first day of the week
          </pre>
          <div>CurrentWeekOfTheYear: <b>$CurrentWeekOfTheYear$</b> | EarliestTime: <b>$EarliestTime$</b> | LatestTime: <b>$LatestTime$</b> |</div>
        </div>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| fields - _time
| eval WeekOfTheYear=$tokWeek$-1,EarliestTimeModifier="+".WeekOfTheYear."w@w0",LatestTimeModifier="+$tokWeek$w@w6",FirstDayOfYear=replace(relative_time(now(),"@y"),"\.\d+","")

| eval EarliestTime=relative_time(FirstDayOfYear,EarliestTimeModifier),
       LatestTime=relative_time(FirstDayOfYear,LatestTimeModifier)

| fields WeekOfTheYear FirstDayOfYear EarliestTimeModifier LatestTimeModifier EarliestTime LatestTime
| fieldformat FirstDayOfYear=strftime(FirstDayOfYear,"%Y/%m/%d")
| fieldformat EarliestTime=strftime(EarliestTime,"%Y/%m/%d")
| fieldformat LatestTime=strftime(LatestTime,"%Y/%m/%d")</query>
          <earliest>-1s</earliest>
          <latest>0</latest>
          <done>
            <set token="EarliestTime">$result.EarliestTime$</set>
            <set token="LatestTime">$result.LatestTime$</set>
          </done>
        </search>
        <!-- Run Anywhere Search, to set earliest and latest epoch time tokens for a week depending of selected week of the year. For Demo Placed Under a table.-->
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

 

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution

sangs8788
Communicator
‎09-02-2020 05:45 AM

@niketn  is this something which you can help me on? Could you please provide suggestion

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎09-03-2020 12:45 AM

@sangs8788 your ask seems very similar to one of my previous answers, however, you need to derive your dashboard tokens based on week of the year. https://community.splunk.com/t5/Getting-Data-In/time-range-to-display-count-of-weekly/td-p/312588

If you add the following independent search to your dashboard, assuming the token for Week of the Year is called $tokWeek$, it will set $EarliestTime$ and $LatestTime$ as two tokens. You may not need fieldformat as that is for run anywhere example for illustration later.

 

        <search>
          <query>| makeresults
| fields - _time
| eval WeekOfTheYear=$tokWeek$-1,EarliestTimeModifier="+".WeekOfTheYear."w@w0",LatestTimeModifier="+$tokWeek$w@w6",FirstDayOfYear=replace(relative_time(now(),"@y"),"\.\d+","")

| eval EarliestTime=relative_time(FirstDayOfYear,EarliestTimeModifier),
       LatestTime=relative_time(FirstDayOfYear,LatestTimeModifier)

| fields WeekOfTheYear FirstDayOfYear EarliestTimeModifier LatestTimeModifier EarliestTime LatestTime
| fieldformat FirstDayOfYear=strftime(FirstDayOfYear,"%Y/%m/%d")
| fieldformat EarliestTime=strftime(EarliestTime,"%Y/%m/%d")
| fieldformat LatestTime=strftime(LatestTime,"%Y/%m/%d")</query>
          <earliest>-1s</earliest>
          <latest>0</latest>
          <done>
            <set token="EarliestTime">$result.EarliestTime$</set>
            <set token="LatestTime">$result.LatestTime$</set>
          </done>
        </search>

 

Screen Shot 2020-09-03 at 11.23.29 AM.png

 Following is the Simple XML code for sample example dashboard above to test:

<form>
  <label>Week of The Year to time tokens</label>
  <!-- Independent Search to Set Current Week in Text Box -->
  <search>
    <done>
      <set token="CurrentWeekOfTheYear">$result.CurrentWeekOfTheYear$</set>
    </done>
    <query>| makeresults 
| fields - _time 
| eval CurrentWeekOfTheYear=strftime(now(),"%V")</query>
    <earliest>-1s</earliest>
    <latest>now</latest>
  </search>
  <fieldset submitButton="false">
    <input type="text" token="tokWeek" searchWhenChanged="true">
      <label>Enter Week Number (Current Week # by default)</label>
      <default>$CurrentWeekOfTheYear$</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Reference: https://www.tutorialspoint.com/python/time_strptime.htm</title>
      <html>
        <div>
          <pre>
%V - The ISO 8601 week number of the current year (01 to 53), where week 1 is the first week that has at least 4 days in the current year, and with Monday as the first day of the week
          </pre>
          <div>CurrentWeekOfTheYear: <b>$CurrentWeekOfTheYear$</b> | EarliestTime: <b>$EarliestTime$</b> | LatestTime: <b>$LatestTime$</b> |</div>
        </div>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| fields - _time
| eval WeekOfTheYear=$tokWeek$-1,EarliestTimeModifier="+".WeekOfTheYear."w@w0",LatestTimeModifier="+$tokWeek$w@w6",FirstDayOfYear=replace(relative_time(now(),"@y"),"\.\d+","")

| eval EarliestTime=relative_time(FirstDayOfYear,EarliestTimeModifier),
       LatestTime=relative_time(FirstDayOfYear,LatestTimeModifier)

| fields WeekOfTheYear FirstDayOfYear EarliestTimeModifier LatestTimeModifier EarliestTime LatestTime
| fieldformat FirstDayOfYear=strftime(FirstDayOfYear,"%Y/%m/%d")
| fieldformat EarliestTime=strftime(EarliestTime,"%Y/%m/%d")
| fieldformat LatestTime=strftime(LatestTime,"%Y/%m/%d")</query>
          <earliest>-1s</earliest>
          <latest>0</latest>
          <done>
            <set token="EarliestTime">$result.EarliestTime$</set>
            <set token="LatestTime">$result.LatestTime$</set>
          </done>
        </search>
        <!-- Run Anywhere Search, to set earliest and latest epoch time tokens for a week depending of selected week of the year. For Demo Placed Under a table.-->
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

 

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

sangs8788
Communicator
‎09-04-2020 05:57 AM

Thanks a lot. This works for me. Just did few changes on the number of days to be selected for the week. 

 

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...