Splunk Search

How to pass form input tokens in dashboard search without using drilldown?

sduddilla
Path Finder

Hello,

Receiving an error when trying to access the time token in the search
I have defined an input time field to use in the search.
There are two items I am looking for:
1) I want the chart populated with default times such as for past 3 days (earliest=-3d and latest =now)
2) When user chooses a time token I want to pass the earliest time to the search in the chart

**

  My Label
    <row>
    <panel>
     <input type="time" searchWhenChanged="true" token="time_input_tok">
      <label>Select a time:</label>
      <default>
      <earliest>earliest=-3d@h</earliest>
      <latest>now</latest>
      </default>
     </input>
      <chart>
      <title>My title</title>
      <searchString>
          [ search index=xxxx| head 1 
          | eval earliest=$time_input_tok.earliest$
          | eval latest=$time_input_tok.earliest$+259200 
          | table earliest,latest  | format "(" "(" "" ")" "OR" ")" ] 
          index=xxxx sourcetype=aaa |fields TA, TM |timechart span=5min Max(TM), Avg(TA) 
       </searchString>
        <earliestTime>$time_input_tok.earliest$</earliestTime>
        <latestTime>$time_input_tok.latest$</latestTime>
     <searchString>
.
.
.

**

The search in the above chart is translated like this one below and erring because earliest time is not being populated in search.

[search index=xxxx| head 1 | eval earliest= | eval latest=+259200 |table earliest, latest | format "(" "(" "" ")" "OR" ")" ] index=xxxx sourcetype=aaaa | fields TA, TM | timechart span="5min" max(TM), avg(TA)

Here is the error in the dashboard chart:

 Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression 
0 Karma
1 Solution

ramdaspr
Contributor

The way you have set the earliest time is probably causing this issue because you are adding the text "earliest=" to the actual value which splunk doesnt parse and you get an invalid earliest time which means your subquery is going to get a null

Instead of

<input type="time" searchWhenChanged="true" token="time_input_tok">
       <label>Select a time:</label>
       <default>
       <earliest>earliest=-3d@h</earliest>
       <latest>now</latest>
       </default>
      </input>

use

<input type="time" searchWhenChanged="true" token="time_input_tok">
       <label>Select a time:</label>
       <default>
       <earliest>-3d@h</earliest>
       <latest>now</latest>
       </default>
      </input>

EDIT: Updated answer since its easier to see all changes needed.

Since you are using time modifiers, you cannot directly add the time in seconds to them for e.g. you cannot add 1800 to "-15m@m"
In this case you will need to use the relative_time function to get the actual time which can be used.

Your SearchString needs to be

    [ search index=xxxx| head 1 
              [ |gentimes start=-1 
| eval earliest=relative_time(now(), "$time_tok.earliest$")  
| eval latest=earliest+1800  
| table earliest,latest  
| format  "(" "(" "" ")" "OR" ")" ]   
index=indx sourcetype=xxx | fields TA, TM| timechart span=1sec max(TM), avg(TA)

View solution in original post

ramdaspr
Contributor

The way you have set the earliest time is probably causing this issue because you are adding the text "earliest=" to the actual value which splunk doesnt parse and you get an invalid earliest time which means your subquery is going to get a null

Instead of

<input type="time" searchWhenChanged="true" token="time_input_tok">
       <label>Select a time:</label>
       <default>
       <earliest>earliest=-3d@h</earliest>
       <latest>now</latest>
       </default>
      </input>

use

<input type="time" searchWhenChanged="true" token="time_input_tok">
       <label>Select a time:</label>
       <default>
       <earliest>-3d@h</earliest>
       <latest>now</latest>
       </default>
      </input>

EDIT: Updated answer since its easier to see all changes needed.

Since you are using time modifiers, you cannot directly add the time in seconds to them for e.g. you cannot add 1800 to "-15m@m"
In this case you will need to use the relative_time function to get the actual time which can be used.

Your SearchString needs to be

    [ search index=xxxx| head 1 
              [ |gentimes start=-1 
| eval earliest=relative_time(now(), "$time_tok.earliest$")  
| eval latest=earliest+1800  
| table earliest,latest  
| format  "(" "(" "" ")" "OR" ")" ]   
index=indx sourcetype=xxx | fields TA, TM| timechart span=1sec max(TM), avg(TA)

sduddilla
Path Finder

I do want to clarify that I was refering to and tags in the search when I mentioned not using these tags. I undertsand that I have to use it in the dafault section of the form input.

0 Karma

sduddilla
Path Finder

ramdaspr,
For some reason it took away parts of my message last time, so I changed the format and reposting the same comment.
The reason I want to pass the time token to the search (in this case subsearch) is that I want to restrict the initial search to the time range I provided. and not use earliestTime and latestTime modifiers in search. If I use earliestTime and latestTime modifiers in the search then the initial search still searches a whole bunch of events outside the desired time range and then filters out to the time range specified.
I want intial search to be limited to the time range specified, which is why I want to pass the earliest and latest as tokens in serach portion of the search not time modifier portion of the search.
If you are passing this time token within your search directly (not using earliestTime and latestTime), then is it possible for you to send me the complte code in the form including the token usage in search? I will see what I am doing differently and modify the code.

0 Karma

ramdaspr
Contributor

The code for the dropdown is

<form>
  <label>Sandbox</label>
  <description>This is a description</description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="time_tok" searchWhenChanged="false">
      <label>Time Period</label>
      <default>
        <earliestTime>-3d@h</earliestTime>
        <latestTime>-2d@h</latestTime>
      </default>
    </input>

And the actual panel used is

 <row>
    <panel>
      <title>Test Panel</title>
      <chart>
        <title>Test2 Dashboard</title>
        <search>
          <query>[ |gentimes start=-1 | eval earliest=relative_time(now(), "$time_tok.earliest$")  | eval latest=earliest+1800  | table earliest,latest  | format  "(" "(" "" ")" "OR" ")" ]   index=myindex sourcetype=iis |fields cs_bytes, sc_bytes |timechart span=5min Max(cs_bytes), Avg(sc_bytes)</query>
          <earliest>$time_tok.earliest$</earliest>
          <latest>$time_tok.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">false</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
</form>

sduddilla
Path Finder

Ramdaspr, Thank You again for your input. This method works although I have to change it to searchString tag instead of combination of search and query tags. That may be because we are on splunk version 6.1.x.

0 Karma

sduddilla
Path Finder

ramdaspr,
The reason I want to pass the time token to the search (in this case subsearch) is that I want to restrict the initial not is to limit initial search to the time range I provided. If I use and then the initial search still searches a whole bunch of events outside the desired time range and then filters out to the time range specified.
I want intial search to be limited to the time range specified.
If you are passing this time token to your search (not using and ) is it possible for you to send me the complte code in the form including the token usage in search? I will see what I am doing differently and modify the code.

0 Karma

sduddilla
Path Finder

ramdaspr,
Thanks You for your input.
The issue is that the default value token is not being passed to the search. Changing it to your latest modification of search it the passed value as token is still empty. I am looking for what needs to be changed in the dashboard so that the time input token is passed initially. After that time token is passed with tyhe value it is being passed which is working fine. How to pass the default token value for earliest tiime to search when the dashbard first loads.
Modified search in the dashboard:

[ | gentimes start=-1 index=xxxx| head 1
| eval earliest=relative_time(now(), "$time_input_tok.earliest$")
| eval latest=earliest+259200 |table earliest,latest

| format "(" "(" "" ")" "OR" ")" ]
index=xxxx sourcetype=aaaa
| fields TA, TM
| timechart span="5min" max(TM), avg(TA
)

Here it how how the new search is being translated. Note the empty string passed in time token
[ | gentimes start=-1 index=xxxx| head 1
| eval earliest=relative_time(now(), *
"")**
| eval latest=earliest+259200 |table earliest,latest
| format "(" "(" "" ")" "OR" ")" ]
index=xxxx sourcetype=aaaa
| fields TA, TM
| timechart span="5min" max(TM), avg(TA*)

0 Karma

ppablo
Retired

Hi @sduddilla

Please be sure than when responding to someone's answer, click on "Add comment" directly below their answer or, if responding to someone's comment, type in the "Add your comment..." box directly below their comment. You've been typing your response in the "Enter your answer here..." box at the very bottom of the page which, instead, posts a brand new answer when it was really meant as a comment. This will help with a clean continuous flow of the conversation. I already converted your "answers" to comments, so just something to keep in mind from here on out. Thanks and happy Splunking!

0 Karma

ramdaspr
Contributor

EDIT: was not relevant to the question. Updated


I am using the below code in a test dashboard and it seems to load the default earliest and latest times as expected on v6.2.1.

<fieldset submitButton="true" autoRun="true">
    <input type="time" token="time_tok" searchWhenChanged="false">
      <label>Time Period</label>
      <default>
        <earliestTime>-3d@h</earliestTime>
        <latestTime>-2d@h</latestTime>
      </default>
    </input>

I cant think of anything else which can influence the tokens from picking up the defaults

0 Karma

sduddilla
Path Finder

Hello ramdaspr,
I have changed it to "-3d@h" instead of "earliest=-3d@h". It still gives me the same error.

Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression

Thanks

0 Karma

ramdaspr
Contributor

I have updated my answer above to add the final set of changes required to make it work..
Let me know if you are still running into issues

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...