Splunk Search

Is there an option to add Time Token function on Dashboard?

cbiraris
Path Finder

Hi Team,

I have  several Dashboards that contain base searches data from reports  for example: 

<search id="baseSearch" ref="Report"></search> 

but, I see that I am not getting option to add time token on dashboard.

Is there any option we can provide the time token to expand or reduced time window for end users on dashboard by using ref="Report" saved search method ? 


0 Karma
1 Solution

FelixLeh
Contributor

Reports are snapshots of data and can't be changed after they are created. Thus you aren't able to change the time on a report once it is done. You could create multiple reports with the same search but different time ranges but I don't think that is what you want.

You could create the report over the maximum duration that you want users to see and use a time picker to limit the events shown.

Make a separate panel in the dashboard that uses the report as its base and insert the following code:

| where _time>relative_time(now(),"$time_token.earliest$")

Dashboard example: 

<form version="1.0">
<search id="base" ref="test_report"></search>
<label>Test</label>
<fieldset submitButton="false">
<input type="time" token="time_token">
<label>Time</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>This is my Panel</title>
<table>
<search base="base">
<query>| where _time&gt;relative_time(now(),"$time_token.earliest$")</query>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>

 

_______________________________________

If this was helpful please consider awarding Karma. Thx!

 

View solution in original post

cbiraris
Path Finder

This is awesome. Thank you for sharing this is working @FelixLeh 

0 Karma

FelixLeh
Contributor

Glad to hear that! You're Welcome! 😄

(You could mark my answer as the solution to complete/close the question 😉 )

0 Karma

FelixLeh
Contributor

Reports are snapshots of data and can't be changed after they are created. Thus you aren't able to change the time on a report once it is done. You could create multiple reports with the same search but different time ranges but I don't think that is what you want.

You could create the report over the maximum duration that you want users to see and use a time picker to limit the events shown.

Make a separate panel in the dashboard that uses the report as its base and insert the following code:

| where _time>relative_time(now(),"$time_token.earliest$")

Dashboard example: 

<form version="1.0">
<search id="base" ref="test_report"></search>
<label>Test</label>
<fieldset submitButton="false">
<input type="time" token="time_token">
<label>Time</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>This is my Panel</title>
<table>
<search base="base">
<query>| where _time&gt;relative_time(now(),"$time_token.earliest$")</query>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>

 

_______________________________________

If this was helpful please consider awarding Karma. Thx!

 
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...