Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Reference Time on Dashboard Load (and adjust t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I was wondering how I can reference the time picker on load for a dashboard and make sure that it's the right format. I am currently using two separate time pickers to reference two time periods for a table. The idea is to compare two different time periods and see the differences. What I would like to do is have the human readable date as the column name so if I had two different columns x and y, it would look like x (10-05-2018 to 10-20-2018) | y (11-05-2018 to 11-20-2018) . The current issue I'm running into is the fact that the time can be in a couple different formats, either epoch time or the relative notation (-1d@d, now()).
I'm probably just lacking knowledge about something but I'd love it to set a token that is human readable right on dashboard load and then update that human-readable token to be used in the queries everytime the user changes the timepicker.
Any help would be much appreciated.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe I figured this out so here it is for anyone who is trying to get either the epoch time or the human readable.
For the epoch time you can do this if your time token is labeled "time_input":
time = case("$time_input.earliest$" == "now", now(),
isnull(relative_time(now(), "$time_input.earliest$")), "$time_input.earliest$",
true(), relative_time(now(), "$time_input.earliest$"))
If you want to get the human readable format of this you can just wrap the case function return in a strftime() command like so:
time = case("$time_input.earliest$" == "now", strftime(now(), "%Y-%m-%h"),
isnull(relative_time(now(), "$time_input.earliest$")), "$time_input.earliest$",
true(), strftime(relative_time(now(), "$time_input.earliest$"), "%Y-%m-%h"))
I know this is a little confusing but it works! Also, if you are using it please be careful/aware of the quotes. If you do not use them how they are used here you might run into weird issues/errors with the eval command trying to read something like "-@d".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe I figured this out so here it is for anyone who is trying to get either the epoch time or the human readable.
For the epoch time you can do this if your time token is labeled "time_input":
time = case("$time_input.earliest$" == "now", now(),
isnull(relative_time(now(), "$time_input.earliest$")), "$time_input.earliest$",
true(), relative_time(now(), "$time_input.earliest$"))
If you want to get the human readable format of this you can just wrap the case function return in a strftime() command like so:
time = case("$time_input.earliest$" == "now", strftime(now(), "%Y-%m-%h"),
isnull(relative_time(now(), "$time_input.earliest$")), "$time_input.earliest$",
true(), strftime(relative_time(now(), "$time_input.earliest$"), "%Y-%m-%h"))
I know this is a little confusing but it works! Also, if you are using it please be careful/aware of the quotes. If you do not use them how they are used here you might run into weird issues/errors with the eval command trying to read something like "-@d".
Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...
Splunk Observability for AI
🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler
