- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's a bit long, hope i will not bore you.
I made a splunk graph with two lines 🙂
I need to see the values compared to the average of the last 10 days.
So:
One line is the percentage between a time period, let's say Today 28 Jan 14:20 --> 14:25
Second line is the average percentage between the same time period but for last 10 days, 18-27 Jan 14:20 --> 14:25
What i can tell by looking at this graph is stuff like , "Today at 14:20 we had x% more/less than the last 10 day average, but at 14:21 we had x% more/less " etc.
It's important to always have time snapped at the start of the minute (so if "now" is 17:31:23 then last minute is 17:30:00.000 --> 17:30:59.999)
To make the search for this graph, i am using ealiest= and latest= like this:
index=logs earliest=-5m@m latest =-1m@m
| ....
| append [search index=logs (
(earliest=24h-5m@m AND latest=-24h-1m@m) OR
(earliest=-48h-5m@m AND latest=-48h-1m@) OR ...
) | ...
]
| ...
The search itself works ok, but my problem is when i try to make a dashboard for it.
The dashboard needs to contain a time input with a token I named "thetime" 🙂
Usually, you make the dashboard search use this time input by selecting "Shared Time picker (thetime)".
This is not possible for my search, so i need somehow to specify $thetime.earliest$ / $thetime.latest$ in the search query.
But i cannot just simply do something straight forward like:
index=logs earliest=$thetime.earliest$ latest=$thetime.latest$-24h@m | ...
Depending one what i select in the time picker, i can end up with messages like:
Invalid value "now-24h" for time term 'latest'
I know about | addinfo https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Addinfo but it's impossible to use "info_max_time" in the first part of the searches, only after the pipe addinfo. Add even if it did somehow, there would still be the issue of the required minute snap to 00 --> 59 seconds.
My approach, was to use the the <init> part of the dashboard xml to calculate all the needed earliest/latest.
Currently i am dealing only with relative ranges, will deal with exact dates (between) later.
So in my dashboard xml i have this:
<form version="1.1" theme="light">
<init>
<eval token="RSTART">strftime(relative_time(now(), $thetime.earliest$),"%Y-%m-%d %H:%M:00")</eval>
<eval token="REND">strftime(relative_time(now(), $thetime.latest$),"%Y-%m-%d %H:%M:00")</eval>
</init>
...
<query>index=logs | eval RRSTART="$RSTART$", RREND="$REND$" | table _time, RRSTART, RREND</query>
...
</form>
The following part drives me crazy.
Assuming now is 17:55:02.
I am accessing the splunk board that has this link:
https://splunk-self-hosted/en-US/app/search/DASHBOARD_NAME
When i first load the page, i see the time picker and a submit button.
There are no results shown until i press submit.
I select "Relative" , earliest 1 Hours ago, "No snap-to", latest now, apply and submit.
The browser URL changes to https://splunk-self-hosted/en-US/app/search/DASHBOARD_NAME?form.thetime.earliest=-1h&form.thetime.la...
and the results i get
| RRSTART | RREND |
| 2025-01-28 17:55:00 | 2025-01-28 17:55:00 |
(same values, bad)
At this point, I just click the refresh button of the browser, and i get :
| RRSTART | RREND |
| 2025-01-28 16:55:00 | 2025-01-28 17:55:00 |
(correct values)
So basically, if i always click submit and then reload, im get the correct values 🙂
From what i understand from https://docs.splunk.com/Documentation/Splunk/9.4.0/Viz/tokens#Set_tokens_on_page_load this should not happen.
As for my questions :
- Can anyone tell me if i am doing something wrong with <init> ? Maybe it cannot be used this way with dashboard tokens ?
- Or maybe there is another way to do this without using <init> ?
Thank you for taking the time to read.
Using Splunk Enterprise Version: 9.1.0.2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are generally 2 ways to do this, one can be done in search alone and the other can be done in dashboard. I tend to use the dashboard approach when in a dashboard, which is to use addinfo and to calculate the ranges needed for the outer search.
The technique is to use a hidden search, either in a table where you have <row depends="$hidden$"> as the row header, or as a base search in the core body of the XML. (NB: In this example I have not hidden the search so you can see what's generated)
However, see this example, which calculates 10 periods going back over the last 10 days with the correct matching time period.
<form version="1.1" theme="light">
<label>Times</label>
<fieldset submitButton="false">
<input type="time" token="thetime" searchWhenChanged="true">
<label>Time</label>
<default>
<earliest>-5m@m</earliest>
<latest>@m</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<done>
<set token="pd_min_current">$result.pd_min_current$</set>
<set token="pd_max_current">$result.pd_max_current$</set>
<set token="pd_min_1">$result.pd_min_1$</set>
<set token="pd_max_1">$result.pd_max_1$</set>
<set token="pd_min_2">$result.pd_min_2$</set>
<set token="pd_max_2">$result.pd_max_2$</set>
<set token="pd_min_3">$result.pd_min_3$</set>
<set token="pd_max_3">$result.pd_max_3$</set>
<set token="pd_min_4">$result.pd_min_4$</set>
<set token="pd_max_4">$result.pd_max_4$</set>
<set token="pd_min_5">$result.pd_min_5$</set>
<set token="pd_max_5">$result.pd_max_5$</set>
<set token="pd_min_6">$result.pd_min_6$</set>
<set token="pd_max_6">$result.pd_max_6$</set>
<set token="pd_min_7">$result.pd_min_7$</set>
<set token="pd_max_7">$result.pd_max_7$</set>
<set token="pd_min_8">$result.pd_min_8$</set>
<set token="pd_max_8">$result.pd_max_8$</set>
<set token="pd_min_9">$result.pd_min_9$</set>
<set token="pd_max_9">$result.pd_max_9$</set>
<set token="pd_min_10">$result.pd_min_10$</set>
<set token="pd_max_10">$result.pd_max_10$</set>
</done>
<query>| makeresults
| addinfo
| eval pd_min_current=info_min_time, pd_max_current=info_max_time
| foreach 1 2 3 4 5 6 7 8 9 10 [
eval pd_min_<<FIELD>>=relative_time(info_min_time, "-"."<<FIELD>>"."d"),
pd_max_<<FIELD>>=relative_time(info_max_time, "-"."<<FIELD>>"."d")
]
| fields - info_*</query>
<earliest>$thetime.earliest$</earliest>
<latest>$thetime.latest$</latest>
</search>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<search>
<query>index=_audit
(earliest >= $pd_min_current$ AND latest < $pd_max_current$) OR
(earliest >= $pd_min_1$ AND latest < $pd_max_1$) OR
(earliest >= $pd_min_2$ AND latest < $pd_max_2$) OR
(earliest >= $pd_min_3$ AND latest < $pd_max_3$) OR
(earliest >= $pd_min_4$ AND latest < $pd_max_4$) OR
(earliest >= $pd_min_5$ AND latest < $pd_max_5$) OR
(earliest >= $pd_min_6$ AND latest < $pd_max_6$) OR
(earliest >= $pd_min_7$ AND latest < $pd_max_7$) OR
(earliest >= $pd_min_8$ AND latest < $pd_max_8$) OR
(earliest >= $pd_min_9$ AND latest < $pd_max_9$) OR
(earliest >= $pd_min_10$ AND latest < $pd_max_10$)
| bin _time span=5m aligntime=@m
| chart count by _time user</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>See how the <done> part of the hidden search will then set the tokens needed by your actual search.
The other technique is to do the same as the hidden search, but in a subsearch so the subsearch will return earliest and latest for each of the periods you want to restrict to)
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are generally 2 ways to do this, one can be done in search alone and the other can be done in dashboard. I tend to use the dashboard approach when in a dashboard, which is to use addinfo and to calculate the ranges needed for the outer search.
The technique is to use a hidden search, either in a table where you have <row depends="$hidden$"> as the row header, or as a base search in the core body of the XML. (NB: In this example I have not hidden the search so you can see what's generated)
However, see this example, which calculates 10 periods going back over the last 10 days with the correct matching time period.
<form version="1.1" theme="light">
<label>Times</label>
<fieldset submitButton="false">
<input type="time" token="thetime" searchWhenChanged="true">
<label>Time</label>
<default>
<earliest>-5m@m</earliest>
<latest>@m</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<done>
<set token="pd_min_current">$result.pd_min_current$</set>
<set token="pd_max_current">$result.pd_max_current$</set>
<set token="pd_min_1">$result.pd_min_1$</set>
<set token="pd_max_1">$result.pd_max_1$</set>
<set token="pd_min_2">$result.pd_min_2$</set>
<set token="pd_max_2">$result.pd_max_2$</set>
<set token="pd_min_3">$result.pd_min_3$</set>
<set token="pd_max_3">$result.pd_max_3$</set>
<set token="pd_min_4">$result.pd_min_4$</set>
<set token="pd_max_4">$result.pd_max_4$</set>
<set token="pd_min_5">$result.pd_min_5$</set>
<set token="pd_max_5">$result.pd_max_5$</set>
<set token="pd_min_6">$result.pd_min_6$</set>
<set token="pd_max_6">$result.pd_max_6$</set>
<set token="pd_min_7">$result.pd_min_7$</set>
<set token="pd_max_7">$result.pd_max_7$</set>
<set token="pd_min_8">$result.pd_min_8$</set>
<set token="pd_max_8">$result.pd_max_8$</set>
<set token="pd_min_9">$result.pd_min_9$</set>
<set token="pd_max_9">$result.pd_max_9$</set>
<set token="pd_min_10">$result.pd_min_10$</set>
<set token="pd_max_10">$result.pd_max_10$</set>
</done>
<query>| makeresults
| addinfo
| eval pd_min_current=info_min_time, pd_max_current=info_max_time
| foreach 1 2 3 4 5 6 7 8 9 10 [
eval pd_min_<<FIELD>>=relative_time(info_min_time, "-"."<<FIELD>>"."d"),
pd_max_<<FIELD>>=relative_time(info_max_time, "-"."<<FIELD>>"."d")
]
| fields - info_*</query>
<earliest>$thetime.earliest$</earliest>
<latest>$thetime.latest$</latest>
</search>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<search>
<query>index=_audit
(earliest >= $pd_min_current$ AND latest < $pd_max_current$) OR
(earliest >= $pd_min_1$ AND latest < $pd_max_1$) OR
(earliest >= $pd_min_2$ AND latest < $pd_max_2$) OR
(earliest >= $pd_min_3$ AND latest < $pd_max_3$) OR
(earliest >= $pd_min_4$ AND latest < $pd_max_4$) OR
(earliest >= $pd_min_5$ AND latest < $pd_max_5$) OR
(earliest >= $pd_min_6$ AND latest < $pd_max_6$) OR
(earliest >= $pd_min_7$ AND latest < $pd_max_7$) OR
(earliest >= $pd_min_8$ AND latest < $pd_max_8$) OR
(earliest >= $pd_min_9$ AND latest < $pd_max_9$) OR
(earliest >= $pd_min_10$ AND latest < $pd_max_10$)
| bin _time span=5m aligntime=@m
| chart count by _time user</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>See how the <done> part of the hidden search will then set the tokens needed by your actual search.
The other technique is to do the same as the hidden search, but in a subsearch so the subsearch will return earliest and latest for each of the periods you want to restrict to)
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not really a problem for my case, i just wanted to post here maybe someone will need to know this.
The hidden search approach to solve this issue has the downside that it doesnt work with real-time searches. (e.g. when you select 30 minute window from the time picker)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you !
I just tested it now, works like a charm.
I was worried that the extra search you used will consume processing power, but all ok as job inspector said
This search has completed and has returned 1 results by scanning 0 events in 0.014 seconds
Apologies for the late reply, i've been swamped.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad it worked, these types of makeresults search are insignificant, they only ever sit on the search head as they are never searching data from the indexers.
I often use background searches and tokens to create data that can then be used in <html> panels. They don't consume much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I’m quite sure that you are on correct path. Unfortunately I haven’t now some examples in my hand where that or quite similar options have done. You probably know simple xml example app and its debug part? If not there are some instructions how to use it https://data-findings.com/wp-content/uploads/2024/09/HSUG-20240903-Tiia-Ojares.pdf
Anyhow use those init, finalize parts on searches and also check token and form.token values. Time by time you must use one and another time/purpose another one. Also that simple xml debug part helps you to understand how and when those are different.
I try to find those examples later if you cannot solve this or nobody cannot help you beforehand.
r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the info !
I didn't know about the app you mentioned, sounds useful.
I wanted to install it, but i couldn't 😞
i think found it here ( https://splunkbase.splunk.com/app/1603 ) but it's end-of-life / archived.
I didnt see any alternatives listed ( https://lantern.splunk.com/Splunk_Platform/Product_Tips/Extending_the_Platform/SimpleXML_Examples_ap... )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It should be installable even it’s archived.
Ok, it seems that policy has changed and there is no more download button for archived apps. Let’s check if anyone known more about this on slack. https://splunk-usergroups.slack.com/archives/C0453SZLGHX/p1738101637411249
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can download archived apps from the old splunkbase site
https://classic.splunkbase.splunk.com/app/1603/
