Re: Multiple Time filters on a Dashboard

delly_fofie · ‎04-16-2022

Hello,

I have a dashboard with two different time filters.

The first time filter is used to filter the _time filter

The second time filter should be used to filter the results on a different field X.

I see in the dashboard URL form2.date2.earliest=<VALUE> & form2.date2.latest=<OPTIONAL_VALUE>

I would like in a where clause or something similar to filter my results based on that date2 input.

What is the best way to do it in Splunk>

I Hope without Code snippet the question is clear and understandable.

tscroggins · ‎04-16-2022

@delly_fofie

We can use the first option proposed by @niketn in Running one of two searches based on time picker selection:

<form>
  <label>delly_fofie_time_filters</label>
  <search>
    <query>| makeresults</query>
    <earliest>$other_time_tok.earliest$</earliest>
    <latest>$other_time_tok.latest$</latest>
    <done>
      <eval token="other_time_tok_earliest">strptime($job.earliestTime$, "%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
      <eval token="other_time_tok_latest">strptime($job.latestTime$, "%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="_time_tok">
      <label>Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="time" token="other_time_tok">
      <label>Other Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| addinfo
| eval other_time_tok_earliest=$other_time_tok_earliest$, other_time_tok_latest=$other_time_tok_latest$</query>
          <earliest>$_time_tok.earliest$</earliest>
          <latest>$_time_tok.latest$</latest>
        </search>
      </table>
    </panel>
  </row>
</form>

Note that I've updated the code for Splunk Enterprise 8.2. Simple XML and Splunk Web use JavaScript to parse eval elements. The values of job.earliestTime and job.latestTime have formats that may change between Splunk versions, and strptime() format specifiers are converted internally to Moment.js specifiers.

In this Simple XML example, the first time input with token _time_tok is referenced by the table search earliest and latest values.

The second time input with token other_time_tok is referenced by a global search that uses Splunk's job engine to parse the values and store the earliest and latest epoch values in other_time_tok_earliest and other_time_tok_latest, respectively.

You can then reference the other_time_tok_* tokens in any search or other dashboard element. I've used them with an eval command to display their values, but you can use them anywhere you'd like, including in search (implied or explicit) and where commands.

delly_fofie · ‎04-16-2022

Hello @tscroggins Thanks for the answer.

This seems to only work when a user selects a very clear date-range,

As soon as the user selects some relatives the it doesn't seem to work anymore.

E.g if the user selects All Time then the values are earliest=0 & latest= (Latest is not filled at all)

Splunk version is the 8.2

tscroggins · ‎04-17-2022

@delly_fofie

You should handle that special case in whatever way makes sense for your data. My example used epoch values. If your data uses signed 32-bit epoch values, you might treat the latest value as 2147483648 (one more than the max epoch value):

<eval token="other_time_tok_latest">if($job.latestTime$!="", strptime($job.latestTime$, "%Y-%m-%dT%H:%M:%S.%3N%z"), 2147483648)</eval>

The solution you use is dependent on your source data. You may need to further modify the example.

What is the best way to use multiple time filters on a dashboard?

other

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability