Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to pass earliest/latest and time input to the search as the same token to the searches in the dashboard?

sbollam
Explorer
‎06-09-2021 02:21 AM

I have created a time input and also two text boxes to pass earliest and latest values to the searches.

When I select the time range from the time input, earliest and latest needs to be ignored.

index=_internal sourcetype=splunkd | stats count  --> This is for last seven days.

when i pass earliest and latest to the search, time input should be ignored.

earliest=06/01/2021:00:00:00 latest=06/02/00:00:00 index=_internal sourcetype=splunk | stats count 

I have this code:

<fieldset submitButton="true">
<input type="dropdown" token="choose">
<label>choose</label>
<choice value="timeRange">timeRange</choice>
<choice value="specificWindow">specificWindow</choice>
<change>
<condition label="timeRange">
<set token="timeRange">true</set>
<unset token="earliestLatest"></unset>
</condition>
<condition label="specificWindow">
<unset token="timeRange"></unset>
<set token="earliestLatest">true</set>
</condition>
</change>
<default>specificWindow</default>
</input>
<input type="time" token="timerange" depends="$timeRange$">
<label>Time</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="earliestTime" depends="$earliestLatest$">
<label>StartDate</label>
<default></default>
</input>
<input type="text" token="latestTime" depends="$earliestLatest$">
<label>EndDate</label>
<default></default>
</input>

How can i do this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-09-2021 03:04 AM 
<form>
  <label>Time test</label>
  <fieldset submitButton="true">
    <input type="dropdown" token="choose">
      <label>choose</label>
      <choice value="timeRange">timeRange</choice>
      <choice value="specificWindow">specificWindow</choice>
      <change>
        <condition label="timeRange">
          <set token="timeRange">true</set>
          <unset token="earliestLatest"></unset>
        </condition>
        <condition label="specificWindow">
          <unset token="timeRange"></unset>
          <set token="earliestLatest">true</set>
        </condition>
      </change>
      <default>specificWindow</default>
    </input>
    <input type="time" token="timerange" depends="$timeRange$">
      <label>Time</label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </default>
      <change>
        <set token="form.earliestTime">$earliest$</set>
        <set token="form.latestTime">$latest$</set>
      </change>
    </input>
    <input type="text" token="earliestTime" depends="$earliestLatest$">
      <label>StartDate</label>
      <default></default>
      <change>
        <set token="form.timerange.earliest">$value$</set>
      </change>
    </input>
    <input type="text" token="latestTime" depends="$earliestLatest$">
      <label>EndDate</label>
      <default></default>
      <change>
        <set token="form.timerange.latest">$value$</set>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>timerange $timerange.earliest$ - $timerange.latest$ earliest $earliestTime$ latest $latestTime$</title>
      <table>
        <search>
          <query>index=_internal 
| stats count by log_level</query>
          <earliest>$timerange.earliest$</earliest>
          <latest>$timerange.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

View solution in original post

Reply
Solved! Jump to solution

sbollam
Explorer
‎06-09-2021 06:49 AM

@ITWhisperer , Thanks a ton!! It worked like a charm.

0 Karma
Reply
Solved! Jump to solution

sbollam
Explorer
‎06-09-2021 06:18 AM

@ITWhisperer , Thank you for the response!!

I was able to retrieve events when i give time range both in text box and the time input. But the problem is when the give time range in the format: %m/%d/%y:%HH:%MM:%SS in the text boxes it's not working. It's throwing me an exception as "Invalid earliest_time".

Please find the screenshot attached.

Earliest_time_error.PNG
Preview file
39 KB
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-09-2021 06:42 AM

You could try parsing and formatting the time between input types (note I have use one format but you may want to use a different one)

<form>
  <label>Time test</label>
  <fieldset submitButton="true">
    <input type="dropdown" token="choose">
      <label>choose</label>
      <choice value="timeRange">timeRange</choice>
      <choice value="specificWindow">specificWindow</choice>
      <change>
        <condition label="timeRange">
          <set token="timeRange">true</set>
          <unset token="earliestLatest"></unset>
        </condition>
        <condition label="specificWindow">
          <unset token="timeRange"></unset>
          <set token="earliestLatest">true</set>
        </condition>
      </change>
      <default>specificWindow</default>
    </input>
    <input type="time" token="timerange" depends="$timeRange$">
      <label>Time</label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </default>
      <change>
        <eval token="form.earliestTime">strftime(relative_time(now(),$earliest$),"%Y/%m/%d %H:%M:%S")</eval>
        <eval token="form.latestTime">strftime(relative_time(now(),$latest$),"%Y/%m/%d %H:%M:%S")</eval>
      </change>
    </input>
    <input type="text" token="earliestTime" depends="$earliestLatest$">
      <label>StartDate</label>
      <default></default>
      <change>
        <eval token="form.timerange.earliest">strptime($value$,"%Y/%m/%d %H:%M:%S")</eval>
      </change>
    </input>
    <input type="text" token="latestTime" depends="$earliestLatest$">
      <label>EndDate</label>
      <default></default>
      <change>
        <eval token="form.timerange.latest">strptime($value$,"%Y/%m/%d %H:%M:%S")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>timerange $timerange.earliest$ - $timerange.latest$ earliest $earliestTime$ latest $latestTime$</title>
      <table>
        <search>
          <query>index=_internal 
| stats count by log_level</query>
          <earliest>$timerange.earliest$</earliest>
          <latest>$timerange.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-09-2021 03:04 AM 
<form>
  <label>Time test</label>
  <fieldset submitButton="true">
    <input type="dropdown" token="choose">
      <label>choose</label>
      <choice value="timeRange">timeRange</choice>
      <choice value="specificWindow">specificWindow</choice>
      <change>
        <condition label="timeRange">
          <set token="timeRange">true</set>
          <unset token="earliestLatest"></unset>
        </condition>
        <condition label="specificWindow">
          <unset token="timeRange"></unset>
          <set token="earliestLatest">true</set>
        </condition>
      </change>
      <default>specificWindow</default>
    </input>
    <input type="time" token="timerange" depends="$timeRange$">
      <label>Time</label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </default>
      <change>
        <set token="form.earliestTime">$earliest$</set>
        <set token="form.latestTime">$latest$</set>
      </change>
    </input>
    <input type="text" token="earliestTime" depends="$earliestLatest$">
      <label>StartDate</label>
      <default></default>
      <change>
        <set token="form.timerange.earliest">$value$</set>
      </change>
    </input>
    <input type="text" token="latestTime" depends="$earliestLatest$">
      <label>EndDate</label>
      <default></default>
      <change>
        <set token="form.timerange.latest">$value$</set>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>timerange $timerange.earliest$ - $timerange.latest$ earliest $earliestTime$ latest $latestTime$</title>
      <table>
        <search>
          <query>index=_internal 
| stats count by log_level</query>
          <earliest>$timerange.earliest$</earliest>
          <latest>$timerange.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top