Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Invalid value "$week$" for time term 'earliest' ?

pgadhari
Builder
‎04-07-2020 12:31 AM

I am getting below error when the page first loads, after that when I manually select "Last 1 week" in the dropdown, the timechart displays. Below is the error , please help resolve the issue ?

Invalid value "$week$" for time term 'earliest'

I think, somehow, when the page loads, the token $week$ having a value of "-7d" is not working.
Also, when I select the choice, the query is passed into the token and then the query is running using that token. Below is my code :

<panel>
       <title>Bandwidth Utilization - Trend</title>
       <input type="dropdown" token="week" searchWhenChanged="true">
         <label>Select Week</label>
         <choice value="-7d">Last 1 Week</choice>
         <choice value="-14d">Last 2 Weeks</choice>
         <choice value="-21d">Last 3 Weeks</choice>
         <choice value="-1mon">Last 1 Month</choice>
         <selectFirstChoice>true</selectFirstChoice>
         <default>-7d</default>
         <initialValue>-7d</initialValue>
         <change>
           <condition value="-7d">
             <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$week$ latest=now | my search .....
           </condition>

           <condition value="-14d">
             <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$week$ latest=now | my search .....

           <condition value="-21d">
             <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$week$ latest=now | my search .....

           <condition value="-1mon">
             <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$week$@mon latest=now | my search .....
           </condition>
         </change>
         <search>
           <query>index=snmp | dedup host | stats count</query>
           <earliest>-5m@m</earliest>
           <latest>now</latest>
         </search>
         <fieldForLabel>count1</fieldForLabel>
         <fieldForValue>count1</fieldForValue>
       </input>
       <chart>
         <search>
           <query>$comparestring$</query>
           <earliest>0</earliest>
           <latest></latest>
           <sampleRatio>1</sampleRatio>
           <refresh>2m</refresh>
           <refreshType>delay</refreshType>
         </search>
         <!--option name="trellis.enabled">0</option>
         <option name="trellis.scales.shared">1</option>
         <option name="trellis.size">large</option-->
         <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
         <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
         <option name="charting.axisTitleX.text">Time</option>
         <option name="charting.axisTitleX.visibility">visible</option>
         <option name="charting.axisTitleY.visibility">visible</option>
         <option name="charting.axisTitleY2.visibility">visible</option>
         <option name="charting.axisX.abbreviation">none</option>
         <option name="charting.axisX.scale">linear</option>
         <option name="charting.axisY.abbreviation">none</option>
         <option name="charting.axisY.scale">linear</option>
         <option name="charting.axisY2.abbreviation">none</option>
         <option name="charting.axisY2.enabled">0</option>
         <option name="charting.axisY2.scale">inherit</option>
         <option name="charting.chart">area</option>
         <option name="charting.chart.bubbleMaximumSize">50</option>
         <option name="charting.chart.bubbleMinimumSize">10</option>
         <option name="charting.chart.bubbleSizeBy">area</option>
         <option name="charting.chart.nullValueMode">connect</option>
         <option name="charting.chart.showDataLabels">minmax</option>
         <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
         <option name="charting.chart.stackMode">default</option>
         <option name="charting.chart.style">shiny</option>
         <option name="charting.drilldown">none</option>
         <option name="charting.layout.splitSeries">1</option>
         <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
         <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
         <option name="charting.legend.mode">standard</option>
         <option name="charting.legend.placement">right</option>
         <option name="charting.lineWidth">2</option>
         <option name="height">396</option>
         <option name="refresh.display">progressbar</option>
       </chart>
     </panel>
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎04-07-2020 10:54 AM

@pgadhari while using the <change> event handler use the predefined token $value$ to access the changed value instead of the token name i.e. $week$. Since the token would need to be submitted you will notice a delay on one submission otherwise.

Also if your my search ..... remains the same for all time selections, you can just pass the $value$ as $comparedstring$ to the actual SPL as remaining SPL remains constant. In either case try the following:

       <condition value="-7d">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
        </condition>
        <condition value="-14d">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
        <condition value="-21d">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
        <condition value="-1mon">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$@mon latest=now | my search ..... </set>
        </condition>
      </change>

Refer to Splunk Documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Predefined_tokens_for_accessing_label...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎04-07-2020 10:54 AM

@pgadhari while using the <change> event handler use the predefined token $value$ to access the changed value instead of the token name i.e. $week$. Since the token would need to be submitted you will notice a delay on one submission otherwise.

Also if your my search ..... remains the same for all time selections, you can just pass the $value$ as $comparedstring$ to the actual SPL as remaining SPL remains constant. In either case try the following:

       <condition value="-7d">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
        </condition>
        <condition value="-14d">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
        <condition value="-21d">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
        <condition value="-1mon">
          <set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$@mon latest=now | my search ..... </set>
        </condition>
      </change>

Refer to Splunk Documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Predefined_tokens_for_accessing_label...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎04-07-2020 07:50 AM

Initialize token when dashboard loads:

<form>
  <init>
    <set token="week">-7d</set>
  </init>
  .....

But I would suggest you to write search query directly in the <chart> element instead of writing it to a token ($comparestring$) in <input> element.

<chart>
     <search>
        <query>index=snmp sourcetype=snmp_ta_vpn earliest=$week$ | my search .....</query>
        <sampleRatio>1</sampleRatio>
        <refresh>2m</refresh>
        <refreshType>delay</refreshType>
     </search>
     .....
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-07-2020 03:24 AM

see
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Timesconf

0 Karma
Reply
Solved! Jump to solution

pgadhari
Builder
‎04-07-2020 05:05 AM

Saw that docs, and I tried doing earliest_time=-7d@d, instead of earliest=-7d, but still getting the same error ? Not sure whats the issue ? still trying to figure it out ?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...