Splunk Search

Why is Time Range Report not considerate with input lookup?

brad_
Engager

Hello, the request below works perfectly thanks to the help found on this forum.
Now I would like to automate this request to have it every week to receive it as a weekly report.
I have tested the time range options but I have the impression that it is not consideration

| inputlookup file1.csv
| rename count as "file1"
| append
    [| inputlookup file2.csv |
     rename count as "file2" ]
| append
    [| inputlookup file3.csv
    |  rename count as "file3" ]
| append
    [| inputlookup file4.csv
    |  rename count as "file4" ]
| append
    [| inputlookup file5.csv | dedup _time 
    |  rename count as "file5" ]
| append
    [| inputlookup file6.csv
    |  rename count as "file6" ]
| where _time > strptime("2022-06-26","%Y-%m-%d") AND _time < strptime("2022-07-04","%Y-%m-%d")
| stats values(*) as * by _time
| addtotals col=t row=f label=Total labelfield=_time

 
brad__0-1657615438030.png

Thanks

 

Labels (1)
Tags (2)
0 Karma

brad_
Engager

Hello i search the solution but it doesnt work any help
I have "error in 'where' comance the expression is malformed. Expcected )"

<form>
  <label>bb3</label>
  <description>test</description>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| inputlookup file1.csv
| rename count as "file1"
| append
    [| inputlookup file2.csv |
     rename count as "file2" ]
| append
    [| inputlookup file3.csv
    |  rename count as "file3" ]
| append
    [| inputlookup file4.csv
    |  rename count as "afile4" ]
| append
    [| inputlookup file5.csv | dedup _time 
    |  rename count as "file5" ]
| append
    [| inputlookup file6.csv
    |  rename count as "file6" ]
| where _time &gt;= relative_time(now(), $field1.earliest$) AND _time &lt; relative_time(now(), $field1.latest$)
| stats values(*) as * by _time
| addtotals col=t row=f label=Total labelfield=_timee</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>


 

0 Karma

brad_
Engager

I try different way but not working preset, relative, real-time...

 timepicker.PNG

the answer always the same "No results found. Try expanding the time range."

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Can you share your dashboard source code in a code block </>?

0 Karma

brad_
Engager

Is that help ? because on code source there is  confidential information

<div class="control-group-container">
    <div class="control-group col-1 timeinput earliest">
        <label for="earliest_view56386" class="control-label" title="Earliest:">Earliest:</label>
        <div class="controls">
            <div class="input-append">
                <input type="text" size="5" value="" class="earliest_input timerangepicker-relative-earliest-time" id="earliest_view56386"><div class="btn-group timerangepicker-relative_range_unit shared-controls-syntheticselectcontrol control-default" data-cid="view56399" data-view="views/shared/controls/SyntheticSelectControl" data-name="relative_range_unit" 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Not really, that is the source of the browser html for the timepicker by the looks of it.

Let me put it another way, how do you know the time is not being considered and how are you specifying which time frame to use in the report?

0 Karma

brad_
Engager

Sorry i understand code source

<dashboard theme="dark">
  <label>bb-test</label>
  <row>
    <panel>
      <title>TEST</title>
      <table>
        <search>
          <query>| file1.csv
| rename count as "file1"
| append
    [| inputlookup file2.csv |
     rename count as "file2" ]
| append
    [| inputlookup file3.csv
    |  rename count as "file3" ]
| append
    [| inputlookup file4.csv
    |  rename count as "file4" ]
| append
    [| inputlookup file5.csv | dedup _time 
    |  rename count as "file5" ]
| append
    [| inputlookup file6.csv
    |  rename count as "file6" ]
| where _time &gt;= relative_time(now(), $timepicker.earliest$) AND _time &lt; relative_time(now(), $timepicker.latest$)
| stats values(*) as * by _time
| addtotals col=t row=f label=Total labelfield=_time</query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>

 

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If that's your entire source code then it doesn't work because you don't have a timepicker input

0 Karma

brad_
Engager

Yes it is so. What does it mean i can't have another way to have timepicker input

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Your code uses a token called "timepicker" - if you add a timepicker input to your dashboard with a token name of "timepicker" this will resolve the input error you are seeing.

0 Karma

brad_
Engager

I add time picker input with token timepicker but i have an error 
" Error in 'where' command: The expression is malformed. Expected )."
Capture.PNG

0 Karma

brad_
Engager

How i know it is not working

Because when i fill 7 days or any other date i have no result
Capture.PNG

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You are looking at it in edit mode - tokens are resolved in edit mode - you need to save it to see whether the tokens are set up correctly

0 Karma

brad_
Engager

Sorry i don't understand i have error with where in normal mode too
Capture.PNG

<<form theme="dark">
  <label>bb-test</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="timepicker">
      <label>Range</label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>TEST</title>
      <table>
        <search>
          <query>| file1.csv
| rename count as "file1"
| append
    [| inputlookup file2.csv |
     rename count as "file2" ]
| append
    [| inputlookup file3.csv
    |  rename count as "file3" ]
| append
    [| inputlookup file4.csv
    |  rename count as "file4" ]
| append
    [| inputlookup file5.csv | dedup _time 
    |  rename count as "file5" ]
| append
    [| inputlookup file6.csv
    |  rename count as "file6" ]
| where _time &gt;= relative_time(now(), $timepicker.earliest$) AND _time &lt; relative_time(now(), $timepicker.latest$)
| stats values(*) as * by _time
| addtotals col=t row=f label=Total labelfield=_time</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Assuming your time picker input creates a token called timepicker, try something like this

| inputlookup file1.csv
| rename count as "file1"
| append
    [| inputlookup file2.csv |
     rename count as "file2" ]
| append
    [| inputlookup file3.csv
    |  rename count as "file3" ]
| append
    [| inputlookup file4.csv
    |  rename count as "file4" ]
| append
    [| inputlookup file5.csv | dedup _time 
    |  rename count as "file5" ]
| append
    [| inputlookup file6.csv
    |  rename count as "file6" ]
| where _time >= relative_time(now(), $timepicker.earliest$) AND _time < relative_time(now(), $timepicker.latest$)
| stats values(*) as * by _time
| addtotals col=t row=f label=Total labelfield=_time
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...