Solved: How to pass earliest and latest based on week numb...

sangs8788 · ‎09-01-2020

Hi

I have input fields which has value as week number. Based on the Weeknum selected, how do I pass on the earliest and latest date under my drilldown.

Here is my input field

<input type="dropdown" token="weeknum" searchWhenChanged="true">

And here is my drilldown section from one of the dashboard panel where time range gets passed to another page (sre_module_summary) in the name of token selectedearliest & selectedlatest. How to get the values for the token based on the weeknum selected from input panel.

<drilldown target="_blank">
<eval token="Module">$click.value$</eval>
<eval token="HostType">$HostType$</eval>
<link>
<![CDATA[/app/sre/sre_module_summary?form.Module=$Module$&host=$HostType$&form.timerange.earliest=$selectedearliest$&form.timerange.latest=$selectedlatest$]]>
</link>
</drilldown>

Could someone please help.

niketn · ‎09-03-2020

@sangs8788 your ask seems very similar to one of my previous answers, however, you need to derive your dashboard tokens based on week of the year. https://community.splunk.com/t5/Getting-Data-In/time-range-to-display-count-of-weekly/td-p/312588

If you add the following independent search to your dashboard, assuming the token for Week of the Year is called $tokWeek$, it will set $EarliestTime$ and $LatestTime$ as two tokens. You may not need fieldformat as that is for run anywhere example for illustration later.

        <search>
          <query>| makeresults
| fields - _time
| eval WeekOfTheYear=$tokWeek$-1,EarliestTimeModifier="+".WeekOfTheYear."w@w0",LatestTimeModifier="+$tokWeek$w@w6",FirstDayOfYear=replace(relative_time(now(),"@y"),"\.\d+","")

| eval EarliestTime=relative_time(FirstDayOfYear,EarliestTimeModifier),
       LatestTime=relative_time(FirstDayOfYear,LatestTimeModifier)

| fields WeekOfTheYear FirstDayOfYear EarliestTimeModifier LatestTimeModifier EarliestTime LatestTime
| fieldformat FirstDayOfYear=strftime(FirstDayOfYear,"%Y/%m/%d")
| fieldformat EarliestTime=strftime(EarliestTime,"%Y/%m/%d")
| fieldformat LatestTime=strftime(LatestTime,"%Y/%m/%d")</query>
          <earliest>-1s</earliest>
          <latest>0</latest>
          <done>
            <set token="EarliestTime">$result.EarliestTime$</set>
            <set token="LatestTime">$result.LatestTime$</set>
          </done>
        </search>

Following is the Simple XML code for sample example dashboard above to test:

<form>
  <label>Week of The Year to time tokens</label>
  <!-- Independent Search to Set Current Week in Text Box -->
  <search>
    <done>
      <set token="CurrentWeekOfTheYear">$result.CurrentWeekOfTheYear$</set>
    </done>
    <query>| makeresults 
| fields - _time 
| eval CurrentWeekOfTheYear=strftime(now(),"%V")</query>
    <earliest>-1s</earliest>
    <latest>now</latest>
  </search>
  <fieldset submitButton="false">
    <input type="text" token="tokWeek" searchWhenChanged="true">
      <label>Enter Week Number (Current Week # by default)</label>
      <default>$CurrentWeekOfTheYear$</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Reference: https://www.tutorialspoint.com/python/time_strptime.htm</title>
      <html>
        <div>
          <pre>
%V - The ISO 8601 week number of the current year (01 to 53), where week 1 is the first week that has at least 4 days in the current year, and with Monday as the first day of the week
          </pre>
          <div>CurrentWeekOfTheYear: <b>$CurrentWeekOfTheYear$</b> | EarliestTime: <b>$EarliestTime$</b> | LatestTime: <b>$LatestTime$</b> |</div>
        </div>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| fields - _time
| eval WeekOfTheYear=$tokWeek$-1,EarliestTimeModifier="+".WeekOfTheYear."w@w0",LatestTimeModifier="+$tokWeek$w@w6",FirstDayOfYear=replace(relative_time(now(),"@y"),"\.\d+","")

| eval EarliestTime=relative_time(FirstDayOfYear,EarliestTimeModifier),
       LatestTime=relative_time(FirstDayOfYear,LatestTimeModifier)

| fields WeekOfTheYear FirstDayOfYear EarliestTimeModifier LatestTimeModifier EarliestTime LatestTime
| fieldformat FirstDayOfYear=strftime(FirstDayOfYear,"%Y/%m/%d")
| fieldformat EarliestTime=strftime(EarliestTime,"%Y/%m/%d")
| fieldformat LatestTime=strftime(LatestTime,"%Y/%m/%d")</query>
          <earliest>-1s</earliest>
          <latest>0</latest>
          <done>
            <set token="EarliestTime">$result.EarliestTime$</set>
            <set token="LatestTime">$result.LatestTime$</set>
          </done>
        </search>
        <!-- Run Anywhere Search, to set earliest and latest epoch time tokens for a week depending of selected week of the year. For Demo Placed Under a table.-->
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

sangs8788 · ‎09-02-2020

@niketn is this something which you can help me on? Could you please provide suggestion

niketn · ‎09-03-2020

@sangs8788 your ask seems very similar to one of my previous answers, however, you need to derive your dashboard tokens based on week of the year. https://community.splunk.com/t5/Getting-Data-In/time-range-to-display-count-of-weekly/td-p/312588

If you add the following independent search to your dashboard, assuming the token for Week of the Year is called $tokWeek$, it will set $EarliestTime$ and $LatestTime$ as two tokens. You may not need fieldformat as that is for run anywhere example for illustration later.

        <search>
          <query>| makeresults
| fields - _time
| eval WeekOfTheYear=$tokWeek$-1,EarliestTimeModifier="+".WeekOfTheYear."w@w0",LatestTimeModifier="+$tokWeek$w@w6",FirstDayOfYear=replace(relative_time(now(),"@y"),"\.\d+","")

| eval EarliestTime=relative_time(FirstDayOfYear,EarliestTimeModifier),
       LatestTime=relative_time(FirstDayOfYear,LatestTimeModifier)

| fields WeekOfTheYear FirstDayOfYear EarliestTimeModifier LatestTimeModifier EarliestTime LatestTime
| fieldformat FirstDayOfYear=strftime(FirstDayOfYear,"%Y/%m/%d")
| fieldformat EarliestTime=strftime(EarliestTime,"%Y/%m/%d")
| fieldformat LatestTime=strftime(LatestTime,"%Y/%m/%d")</query>
          <earliest>-1s</earliest>
          <latest>0</latest>
          <done>
            <set token="EarliestTime">$result.EarliestTime$</set>
            <set token="LatestTime">$result.LatestTime$</set>
          </done>
        </search>

Following is the Simple XML code for sample example dashboard above to test:

<form>
  <label>Week of The Year to time tokens</label>
  <!-- Independent Search to Set Current Week in Text Box -->
  <search>
    <done>
      <set token="CurrentWeekOfTheYear">$result.CurrentWeekOfTheYear$</set>
    </done>
    <query>| makeresults 
| fields - _time 
| eval CurrentWeekOfTheYear=strftime(now(),"%V")</query>
    <earliest>-1s</earliest>
    <latest>now</latest>
  </search>
  <fieldset submitButton="false">
    <input type="text" token="tokWeek" searchWhenChanged="true">
      <label>Enter Week Number (Current Week # by default)</label>
      <default>$CurrentWeekOfTheYear$</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Reference: https://www.tutorialspoint.com/python/time_strptime.htm</title>
      <html>
        <div>
          <pre>
%V - The ISO 8601 week number of the current year (01 to 53), where week 1 is the first week that has at least 4 days in the current year, and with Monday as the first day of the week
          </pre>
          <div>CurrentWeekOfTheYear: <b>$CurrentWeekOfTheYear$</b> | EarliestTime: <b>$EarliestTime$</b> | LatestTime: <b>$LatestTime$</b> |</div>
        </div>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| fields - _time
| eval WeekOfTheYear=$tokWeek$-1,EarliestTimeModifier="+".WeekOfTheYear."w@w0",LatestTimeModifier="+$tokWeek$w@w6",FirstDayOfYear=replace(relative_time(now(),"@y"),"\.\d+","")

| eval EarliestTime=relative_time(FirstDayOfYear,EarliestTimeModifier),
       LatestTime=relative_time(FirstDayOfYear,LatestTimeModifier)

| fields WeekOfTheYear FirstDayOfYear EarliestTimeModifier LatestTimeModifier EarliestTime LatestTime
| fieldformat FirstDayOfYear=strftime(FirstDayOfYear,"%Y/%m/%d")
| fieldformat EarliestTime=strftime(EarliestTime,"%Y/%m/%d")
| fieldformat LatestTime=strftime(LatestTime,"%Y/%m/%d")</query>
          <earliest>-1s</earliest>
          <latest>0</latest>
          <done>
            <set token="EarliestTime">$result.EarliestTime$</set>
            <set token="LatestTime">$result.LatestTime$</set>
          </done>
        </search>
        <!-- Run Anywhere Search, to set earliest and latest epoch time tokens for a week depending of selected week of the year. For Demo Placed Under a table.-->
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

sangs8788 · ‎09-04-2020

Thanks a lot. This works for me. Just did few changes on the number of days to be selected for the week.

How to pass earliest and latest based on week number under drilldown

field extraction

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

What's New in Splunk Observability - October 2025

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Are you a member of the Splunk Community?

How to pass earliest and latest based on week number under drilldown

field extraction

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

What's New in Splunk Observability - October 2025

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...