Splunk Search

Visualizations: Can eval tag (calculating token values) be used inside init, selection, progress or done?

Builder

All this is happening in Splunk 6.6.2:

I have a relatively complex form, with a timechart and a drilldown from it selection to the data table below it. I wanted to show the time interval in a table title, and tried using $start$ and $end$ (saving them in some external tokens within <selection> - to be used in <earliest> and <latest> tags of the data table search, as well as displayed in the title) for that. I also tried to use $job.earliestTime$ and $job.latestTime$ from inside <progress> tag to save them into the tokens referenced in the title.

Unfortunately, this shows the time either as -8h (if I pick "8 hours ago" from the time picker and don't make a selection within the time chart) or as an integer like 1527835260. "No big deal", I thought and slapped an <eval token="earliest_for_display">strftime($start$,"%F %T")</eval> within the timechart's <selection>. Then I tried the same with $job.earliestTime$ inside data table search's <progress> instead of $start$.

It seems that the eval never even tried to execute. I ended up pre-setting those tokens with "Earliest: not set yet" and "Latest: not set yet" within the form's <init> - and they never changed.

As a side note - might be helpful to some: simple strftime will not work with relatives like @d, -24h or now, so I came up with the following construct:

<eval token="earliest_for_display">strftime(case(
$job.earliestTime$=="now",now(),
match(tostring($job.earliestTime$),"^[-+@]"),relative_time(now(),$job.earliestTime$),
match(tostring($job.earliestTime$),"^\d{4}-"),strptime($job.earliestTime$,"%FT%T.%3N%:z"),
1==1,$job.earliestTime$),"%F %T")</eval>

That "^\d{4}-" is for the times I get from <selection> - they seem to be returned in that "%FT%T.%3N%:z" format.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

@arkadyz71, your issue is not quite clear. However, I do want to mention that <eval> behavior is slightly different in eval command in searches and as <eval> tag in Simple XML dashboard. Refer to dashboard: http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Define_token_filtering_and_formatting

Related to your question, Do you want to display the Earliest and Latest Time as String Time in Panel Title? Do you also want to use the time as <selection> for timechart when time input has any change?

Please refer to one of my previous answers which Sets Earliest and Latest Time (Epoch and String Time) based on (1) Splunk job's token $job.earliestTime$ and $job.latestTime$ and (2) using addinfo command by running dummy search.

https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

@arkadyz71, your issue is not quite clear. However, I do want to mention that <eval> behavior is slightly different in eval command in searches and as <eval> tag in Simple XML dashboard. Refer to dashboard: http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Define_token_filtering_and_formatting

Related to your question, Do you want to display the Earliest and Latest Time as String Time in Panel Title? Do you also want to use the time as <selection> for timechart when time input has any change?

Please refer to one of my previous answers which Sets Earliest and Latest Time (Epoch and String Time) based on (1) Splunk job's token $job.earliestTime$ and $job.latestTime$ and (2) using addinfo command by running dummy search.

https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

Builder

Thanks for the link back to your previous answer - voted that up. For some reason, strptime(strftime($job.earliestTime$,...),...) failed to work for me, so I went with the | addinfo option. That did work - especially nice because addinfo is producing times in time and not string format, so there is no guessing what to tell strptime.

0 Karma

SplunkTrust
SplunkTrust

@arkadyz1,I am glad you found one of the options useful, you can accept this answer to mark this question as answered!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma