Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Invalid value "$week$" for time term 'earliest' ?

pgadhari
Builder
‎04-07-2020 12:31 AM

I am getting below error when the page first loads, after that when I manually select "Last 1 week" in the dropdown, the timechart displays. Below is the error , please help resolve the issue ?

Invalid value "$week$" for time term 'earliest'

I think, somehow, when the page loads, the token $week$ having a value of "-7d" is not working.
Also, when I select the choice, the query is passed into the token and then the query is running using that token. Below is my code :

<panel>
       <title>Bandwidth Utilization - Trend</title>
       <input type="dropdown" token="week" searchWhenChanged="true">
         <label>Select Week</label>
         <choice value="-7d">Last 1 Week</choice>
         <choice value="-14d">Last 2 Weeks</choice>
         <choice value="-21d">Last 3 Weeks</choice>
         <choice value="-1mon">Last 1 Month</choice>
         <selectFirstChoice>true</selectFirstChoice>
         <default>-7d</default>
         <initialValue>-7d</initialValue>
         <change>
           <condition value="-7d">
             <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$week$ latest=now | my search .....
           </condition>

           <condition value="-14d">
             <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$week$ latest=now | my search .....

           <condition value="-21d">
             <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$week$ latest=now | my search .....

           <condition value="-1mon">
             <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$week$@mon latest=now | my search .....
           </condition>
         </change>
         <search>
           <query>index=snmp | dedup host | stats count</query>
           <earliest>-5m@m</earliest>
           <latest>now</latest>
         </search>
         <fieldForLabel>count1</fieldForLabel>
         <fieldForValue>count1</fieldForValue>
       </input>
       <chart>
         <search>
           <query>$comparestring$</query>
           <earliest>0</earliest>
           <latest></latest>
           <sampleRatio>1</sampleRatio>
           <refresh>2m</refresh>
           <refreshType>delay</refreshType>
         </search>
         <!--option name="trellis.enabled">0</option>
         <option name="trellis.scales.shared">1</option>
         <option name="trellis.size">large</option-->
         <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
         <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
         <option name="charting.axisTitleX.text">Time</option>
         <option name="charting.axisTitleX.visibility">visible</option>
         <option name="charting.axisTitleY.visibility">visible</option>
         <option name="charting.axisTitleY2.visibility">visible</option>
         <option name="charting.axisX.abbreviation">none</option>
         <option name="charting.axisX.scale">linear</option>
         <option name="charting.axisY.abbreviation">none</option>
         <option name="charting.axisY.scale">linear</option>
         <option name="charting.axisY2.abbreviation">none</option>
         <option name="charting.axisY2.enabled">0</option>
         <option name="charting.axisY2.scale">inherit</option>
         <option name="charting.chart">area</option>
         <option name="charting.chart.bubbleMaximumSize">50</option>
         <option name="charting.chart.bubbleMinimumSize">10</option>
         <option name="charting.chart.bubbleSizeBy">area</option>
         <option name="charting.chart.nullValueMode">connect</option>
         <option name="charting.chart.showDataLabels">minmax</option>
         <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
         <option name="charting.chart.stackMode">default</option>
         <option name="charting.chart.style">shiny</option>
         <option name="charting.drilldown">none</option>
         <option name="charting.layout.splitSeries">1</option>
         <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
         <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
         <option name="charting.legend.mode">standard</option>
         <option name="charting.legend.placement">right</option>
         <option name="charting.lineWidth">2</option>
         <option name="height">396</option>
         <option name="refresh.display">progressbar</option>
       </chart>
     </panel>
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎04-07-2020 10:54 AM

@pgadhari while using the <change> event handler use the predefined token $value$ to access the changed value instead of the token name i.e. $week$. Since the token would need to be submitted you will notice a delay on one submission otherwise.

Also if your my search ..... remains the same for all time selections, you can just pass the $value$ as $comparedstring$ to the actual SPL as remaining SPL remains constant. In either case try the following:

       <condition value="-7d">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
        </condition>
        <condition value="-14d">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
        <condition value="-21d">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
        <condition value="-1mon">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$@mon latest=now | my search ..... </set>
        </condition>
      </change>

Refer to Splunk Documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Predefined_tokens_for_accessing_label...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎04-07-2020 10:54 AM

@pgadhari while using the <change> event handler use the predefined token $value$ to access the changed value instead of the token name i.e. $week$. Since the token would need to be submitted you will notice a delay on one submission otherwise.

Also if your my search ..... remains the same for all time selections, you can just pass the $value$ as $comparedstring$ to the actual SPL as remaining SPL remains constant. In either case try the following:

       <condition value="-7d">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
        </condition>
        <condition value="-14d">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
        <condition value="-21d">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
        <condition value="-1mon">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$@mon latest=now | my search ..... </set>
        </condition>
      </change>

Refer to Splunk Documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Predefined_tokens_for_accessing_label...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎04-07-2020 07:50 AM

Initialize token when dashboard loads:

<form>
  <init>
    <set token="week">-7d</set>
  </init>
  .....

But I would suggest you to write search query directly in the <chart> element instead of writing it to a token ($comparestring$) in <input> element.

<chart>
     <search>
        <query>index=snmp sourcetype=snmp_ta_vpn earliest=$week$ | my search .....</query>
        <sampleRatio>1</sampleRatio>
        <refresh>2m</refresh>
        <refreshType>delay</refreshType>
     </search>
     .....
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-07-2020 03:24 AM

see
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Timesconf

0 Karma
Reply
Solved! Jump to solution

pgadhari
Builder
‎04-07-2020 05:05 AM

Saw that docs, and I tried doing earliest_time=-7d@d, instead of earliest=-7d, but still getting the same error ? Not sure whats the issue ? still trying to figure it out ?

0 Karma
Reply
Get Updates on the Splunk Community!

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...