Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Timepicker relative time in dashboard.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Timepicker relative time in dashboard.
jacobdavis
Engager
a week ago
Hi all!
What I thought was going to be a fairly simple panel on a dashboard has been giving me fits. We have a global time picker (Datepkr) for our dashboard, and based on other picker selections from that dashboard would like to display a simple count of events in a timechart for the time window selected by the datepicker, and for the same time window the week prior. So if someone selected events for the past 4 hours, we would get a line chart of events for the past four hours with a second line of events for events of the last four hours exactly one week prior. Same deal if someone selected events in the time range Wednesday, t-18 16:00 through Thursday, Oct-19 12:00, they would get events for that range plus a second line for events Wednesday, Oct-11 16:00 through Thursday, Oct-12 12:00. I think it would get a bit weird as you start selecting increasingly large windows of time larger than one week, but that's ok, for the most part people will be using times less than one week.
I've run into two hurdles so far, one is how to get the second "-7d" time range to be created from the time picker, and then once the two searches can be made, how to effectively merge the two together.
I saw a few posts mentioning using makeresults or addinfo and info_min_time/info_max_time but these don't seem to be resolving correctly (the way I was using them at least), and setting the last week time in the body of the query seems wrong, or at least less useful than having it resolved somewhere that it could be used on other panels.
I tried to add two new tokens to set the past window, but because the time picker can produce times in varying formats this didn't seem to work. I tried different ways of converting to epoch time and back but didn't get anywhere with that either.
Timepicker config including the eval:
<input type="time" token="Datepkr">
<label>Time Range Picker</label>
<default>
<earliest>-15m</earliest>
<latest>now</latest>
</default>
<change>
<eval token="date_last_week.earliest">relative_time($Datepkr.earliest$, "-7d")</eval>
<eval token="date_last_week.latest">relative_time($Datepkr.latest$, "-7d")</eval>
</change>
</input>
I haven't been able to get as far as to get a search that produces the right results, but assuming I can, I'm not sure how to overlay two the times on top of each other since they are different time ranges. Wouldn't they display end to end? I'd like them to overlay.
I saw the timewrap function, but given that a time field is required timewrap as well as a time-span for the chart I don't think that would mesh with the time picker.
Maybe something like:
Search for stuff from -7d | eval ReportKey=”Last_Week” | modify the “_time” field | append [subsearch for stuff today | eval ReportKey=”Today”] | timechart it based on ReportKey
Thanks in advance for any help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bowesmana
SplunkTrust
a week ago
I've posted a number of solutions for this problem, see a post from yesterday that references some of those
https://community.splunk.com/t5/Splunk-Search/Multiple-time-searches/m-p/669128#M229514
Effectively you have a global search that sees your Datepkr token and does a small search to calculate the relative dates - it needs addinfo, as that makes sure the tokens from the time picker are converted to epoch.
Then in your main search you can do
search (earliest=$Datepkr.earliest$ latest=$Datepkr.latest$) OR (earliest=$my_other_token_earliest$ latest=$my_other_token_latest$)
...
| eval category=if(_time <= $my_other_token_latest$, "PREV", "CURRENT")
| eval _time=if(_time <= $my_other_token_latest$, _time+my_offset, _time)
...
| timechart bla by categorywhich looks for both date ranges and then sets the category based on which range it's from, and then adjusts the PREV range _time to the current time, so they are overlaid. - my_offset is the amount of time between your two ranges.
This methodology works, so if you're struggling to get something working, post what you've got and we can help.
Get Updates on the Splunk Community!
What’s New in Splunk Cloud Platform 9.1.2308?
Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2308!
Analysts can ...
Index This | Why do they call it hyper text?
November 2023 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk
For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...
