Splunk Search

Invalid value "$week$" for time term 'earliest' ?

pgadhari
Builder

I am getting below error when the page first loads, after that when I manually select "Last 1 week" in the dropdown, the timechart displays. Below is the error , please help resolve the issue ?

Invalid value "$week$" for time term 'earliest'

I think, somehow, when the page loads, the token $week$ having a value of "-7d" is not working.
Also, when I select the choice, the query is passed into the token and then the query is running using that token. Below is my code :

<panel>
       <title>Bandwidth Utilization - Trend</title>
       <input type="dropdown" token="week" searchWhenChanged="true">
         <label>Select Week</label>
         <choice value="-7d">Last 1 Week</choice>
         <choice value="-14d">Last 2 Weeks</choice>
         <choice value="-21d">Last 3 Weeks</choice>
         <choice value="-1mon">Last 1 Month</choice>
         <selectFirstChoice>true</selectFirstChoice>
         <default>-7d</default>
         <initialValue>-7d</initialValue>
         <change>
           <condition value="-7d">
             <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$week$ latest=now | my search .....
           </condition>

           <condition value="-14d">
             <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$week$ latest=now | my search .....

           <condition value="-21d">
             <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$week$ latest=now | my search .....

           <condition value="-1mon">
             <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$week$@mon latest=now | my search .....
           </condition>
         </change>
         <search>
           <query>index=snmp | dedup host | stats count</query>
           <earliest>-5m@m</earliest>
           <latest>now</latest>
         </search>
         <fieldForLabel>count1</fieldForLabel>
         <fieldForValue>count1</fieldForValue>
       </input>
       <chart>
         <search>
           <query>$comparestring$</query>
           <earliest>0</earliest>
           <latest></latest>
           <sampleRatio>1</sampleRatio>
           <refresh>2m</refresh>
           <refreshType>delay</refreshType>
         </search>
         <!--option name="trellis.enabled">0</option>
         <option name="trellis.scales.shared">1</option>
         <option name="trellis.size">large</option-->
         <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
         <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
         <option name="charting.axisTitleX.text">Time</option>
         <option name="charting.axisTitleX.visibility">visible</option>
         <option name="charting.axisTitleY.visibility">visible</option>
         <option name="charting.axisTitleY2.visibility">visible</option>
         <option name="charting.axisX.abbreviation">none</option>
         <option name="charting.axisX.scale">linear</option>
         <option name="charting.axisY.abbreviation">none</option>
         <option name="charting.axisY.scale">linear</option>
         <option name="charting.axisY2.abbreviation">none</option>
         <option name="charting.axisY2.enabled">0</option>
         <option name="charting.axisY2.scale">inherit</option>
         <option name="charting.chart">area</option>
         <option name="charting.chart.bubbleMaximumSize">50</option>
         <option name="charting.chart.bubbleMinimumSize">10</option>
         <option name="charting.chart.bubbleSizeBy">area</option>
         <option name="charting.chart.nullValueMode">connect</option>
         <option name="charting.chart.showDataLabels">minmax</option>
         <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
         <option name="charting.chart.stackMode">default</option>
         <option name="charting.chart.style">shiny</option>
         <option name="charting.drilldown">none</option>
         <option name="charting.layout.splitSeries">1</option>
         <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
         <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
         <option name="charting.legend.mode">standard</option>
         <option name="charting.legend.placement">right</option>
         <option name="charting.lineWidth">2</option>
         <option name="height">396</option>
         <option name="refresh.display">progressbar</option>
       </chart>
     </panel>
0 Karma
1 Solution

niketn
Legend

@pgadhari while using the <change> event handler use the predefined token $value$ to access the changed value instead of the token name i.e. $week$. Since the token would need to be submitted you will notice a delay on one submission otherwise.

Also if your my search ..... remains the same for all time selections, you can just pass the $value$ as $comparedstring$ to the actual SPL as remaining SPL remains constant. In either case try the following:

       <condition value="-7d">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
        </condition>
        <condition value="-14d">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
        <condition value="-21d">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
        <condition value="-1mon">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$@mon latest=now | my search ..... </set>
        </condition>
      </change>

Refer to Splunk Documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Predefined_tokens_for_accessing_label...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@pgadhari while using the <change> event handler use the predefined token $value$ to access the changed value instead of the token name i.e. $week$. Since the token would need to be submitted you will notice a delay on one submission otherwise.

Also if your my search ..... remains the same for all time selections, you can just pass the $value$ as $comparedstring$ to the actual SPL as remaining SPL remains constant. In either case try the following:

       <condition value="-7d">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
        </condition>
        <condition value="-14d">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
        <condition value="-21d">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
        <condition value="-1mon">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$@mon latest=now | my search ..... </set>
        </condition>
      </change>

Refer to Splunk Documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Predefined_tokens_for_accessing_label...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

manjunathmeti
Champion

Initialize token when dashboard loads:

<form>
  <init>
    <set token="week">-7d</set>
  </init>
  .....

But I would suggest you to write search query directly in the <chart> element instead of writing it to a token ($comparestring$) in <input> element.

<chart>
     <search>
        <query>index=snmp sourcetype=snmp_ta_vpn earliest=$week$ | my search .....</query>
        <sampleRatio>1</sampleRatio>
        <refresh>2m</refresh>
        <refreshType>delay</refreshType>
     </search>
     .....

to4kawa
Ultra Champion
0 Karma

pgadhari
Builder

Saw that docs, and I tried doing earliest_time=-7d@d, instead of earliest=-7d, but still getting the same error ? Not sure whats the issue ? still trying to figure it out ?

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...