Splunk Search

Invalid value "$week$" for time term 'earliest' ?

pgadhari
Builder

I am getting below error when the page first loads, after that when I manually select "Last 1 week" in the dropdown, the timechart displays. Below is the error , please help resolve the issue ?

Invalid value "$week$" for time term 'earliest'

I think, somehow, when the page loads, the token $week$ having a value of "-7d" is not working.
Also, when I select the choice, the query is passed into the token and then the query is running using that token. Below is my code :

<panel>
       <title>Bandwidth Utilization - Trend</title>
       <input type="dropdown" token="week" searchWhenChanged="true">
         <label>Select Week</label>
         <choice value="-7d">Last 1 Week</choice>
         <choice value="-14d">Last 2 Weeks</choice>
         <choice value="-21d">Last 3 Weeks</choice>
         <choice value="-1mon">Last 1 Month</choice>
         <selectFirstChoice>true</selectFirstChoice>
         <default>-7d</default>
         <initialValue>-7d</initialValue>
         <change>
           <condition value="-7d">
             <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$week$ latest=now | my search .....
           </condition>

           <condition value="-14d">
             <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$week$ latest=now | my search .....

           <condition value="-21d">
             <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$week$ latest=now | my search .....

           <condition value="-1mon">
             <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$week$@mon latest=now | my search .....
           </condition>
         </change>
         <search>
           <query>index=snmp | dedup host | stats count</query>
           <earliest>-5m@m</earliest>
           <latest>now</latest>
         </search>
         <fieldForLabel>count1</fieldForLabel>
         <fieldForValue>count1</fieldForValue>
       </input>
       <chart>
         <search>
           <query>$comparestring$</query>
           <earliest>0</earliest>
           <latest></latest>
           <sampleRatio>1</sampleRatio>
           <refresh>2m</refresh>
           <refreshType>delay</refreshType>
         </search>
         <!--option name="trellis.enabled">0</option>
         <option name="trellis.scales.shared">1</option>
         <option name="trellis.size">large</option-->
         <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
         <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
         <option name="charting.axisTitleX.text">Time</option>
         <option name="charting.axisTitleX.visibility">visible</option>
         <option name="charting.axisTitleY.visibility">visible</option>
         <option name="charting.axisTitleY2.visibility">visible</option>
         <option name="charting.axisX.abbreviation">none</option>
         <option name="charting.axisX.scale">linear</option>
         <option name="charting.axisY.abbreviation">none</option>
         <option name="charting.axisY.scale">linear</option>
         <option name="charting.axisY2.abbreviation">none</option>
         <option name="charting.axisY2.enabled">0</option>
         <option name="charting.axisY2.scale">inherit</option>
         <option name="charting.chart">area</option>
         <option name="charting.chart.bubbleMaximumSize">50</option>
         <option name="charting.chart.bubbleMinimumSize">10</option>
         <option name="charting.chart.bubbleSizeBy">area</option>
         <option name="charting.chart.nullValueMode">connect</option>
         <option name="charting.chart.showDataLabels">minmax</option>
         <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
         <option name="charting.chart.stackMode">default</option>
         <option name="charting.chart.style">shiny</option>
         <option name="charting.drilldown">none</option>
         <option name="charting.layout.splitSeries">1</option>
         <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
         <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
         <option name="charting.legend.mode">standard</option>
         <option name="charting.legend.placement">right</option>
         <option name="charting.lineWidth">2</option>
         <option name="height">396</option>
         <option name="refresh.display">progressbar</option>
       </chart>
     </panel>
0 Karma
1 Solution

niketn
Legend

@pgadhari while using the <change> event handler use the predefined token $value$ to access the changed value instead of the token name i.e. $week$. Since the token would need to be submitted you will notice a delay on one submission otherwise.

Also if your my search ..... remains the same for all time selections, you can just pass the $value$ as $comparedstring$ to the actual SPL as remaining SPL remains constant. In either case try the following:

       <condition value="-7d">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
        </condition>
        <condition value="-14d">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
        <condition value="-21d">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
        <condition value="-1mon">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$@mon latest=now | my search ..... </set>
        </condition>
      </change>

Refer to Splunk Documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Predefined_tokens_for_accessing_label...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@pgadhari while using the <change> event handler use the predefined token $value$ to access the changed value instead of the token name i.e. $week$. Since the token would need to be submitted you will notice a delay on one submission otherwise.

Also if your my search ..... remains the same for all time selections, you can just pass the $value$ as $comparedstring$ to the actual SPL as remaining SPL remains constant. In either case try the following:

       <condition value="-7d">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
        </condition>
        <condition value="-14d">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
        <condition value="-21d">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
        <condition value="-1mon">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$@mon latest=now | my search ..... </set>
        </condition>
      </change>

Refer to Splunk Documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Predefined_tokens_for_accessing_label...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

manjunathmeti
Champion

Initialize token when dashboard loads:

<form>
  <init>
    <set token="week">-7d</set>
  </init>
  .....

But I would suggest you to write search query directly in the <chart> element instead of writing it to a token ($comparestring$) in <input> element.

<chart>
     <search>
        <query>index=snmp sourcetype=snmp_ta_vpn earliest=$week$ | my search .....</query>
        <sampleRatio>1</sampleRatio>
        <refresh>2m</refresh>
        <refreshType>delay</refreshType>
     </search>
     .....

to4kawa
Ultra Champion
0 Karma

pgadhari
Builder

Saw that docs, and I tried doing earliest_time=-7d@d, instead of earliest=-7d, but still getting the same error ? Not sure whats the issue ? still trying to figure it out ?

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...