Splunk Search

send the time value for a search range

Engager

hi,

I need to take the start and end time of the first dashboard, and send the variables with token from the first dashboaad but I do not know how to filter the time with the variables from the first dashboard to the second

code:

<form>
  <label>MAQUETA1 SISTEMA15</label>
  <fieldset submitButton="true">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>1511989578.011</earliest>
        <latest>1511989578.16</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table id="master">
        <search>
          <query>index="banamex" source="MCB-S015-FILE-MONITOREO2-170919-000-ACYPGAMA.CBL" sourcetype="sist15" field_header=STD2 
| eval num_trans=code_serv_std2.subcodigo_serv_std2
| transaction num_trans startswith=(resp=*I) endswith=(resp=*O)
| eval first_mix=mvindex(mix, 0) 
| eval last_mix=mvindex(mix, -1) 
| eval hour1=mvindex(hora, 0)
| eval hour2=mvindex(hora, -1)
| eval first_duration = tostring(duration, "duration")
| eval mytime=strftime(_time, "%Y-%m-%d") 
| eval fecha=strftime(strptime(mytime,"%Y-%m-%d"),"%d/%m/%Y")
| eval first_hour=strftime(strptime(hour1,"%H%M%S%2N"),"%H:%M:%S:%2N")
| eval last_hour=strftime(strptime(hour2,"%H%M%S%2N"),"%H:%M:%S:%2N")
| eval first_time=fecha." ".first_hour
| eval last_time=fecha." ".last_hour
| table mix resp first_mix last_mix first_time last_time first_duration num_trans  app_dest_std2 app_origen_std2
| rename  mix as "MIX" first_time as "Hora Inicio Respuesta" last_time as "Hora Fin Respuesta" first_duration as "Tiempo Respuesta"
  num_trans as "Número de Transacción" first_mix as "Mix Inicio" last_mix as "Mix Fin" app_dest_std2 as "Aplicación Destino"
  app_origen_std2 as "Aplicacion Origen"</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <set token="showDetails">true</set>
          <set token="first_mix">$row.Mix Inicio$</set>
          <set token="Last_Mix">$row.Mix Fin$</set>
          <set token="FirstTime">$row.Hora Inicio Respuesta$</set>
          <set token="LastTime">$row.Hora Fin Respuesta$</set>
          <set token="Duration">$row.Tiempo Respuesta$</set>
          <set token="num_trans">$row.Número de Transacción$</set>
          <set token="Destino">$row.Aplicación Destino$</set>
          <set token="Origen">$row.Aplicacion Origen$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table id="detail" depends="$showDetails$">
        <search>
          <query>index="banamex" source="MCB-S015-FILE-MONITOREO2-170919-000-ACYPGAMA.CBL" sourcetype="sist15" 
| eval Tiempo1="$FirstTime$" 
| eval Tiempo2="$LastTime$"</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

  could you help me?

0 Karma
1 Solution

Esteemed Legend

In the <done> section of the first panel you can set global tokens like this;

 <done>
     <set token="myEarliest">$job.earliestTime$</set>
     <set token="myLatest">$job.latestTime$</set>
</done>

View solution in original post

0 Karma

Esteemed Legend

In the <done> section of the first panel you can set global tokens like this;

 <done>
     <set token="myEarliest">$job.earliestTime$</set>
     <set token="myLatest">$job.latestTime$</set>
</done>

View solution in original post

0 Karma

Legend

@Carolina, refer to answer on similar lines. There seems to be issue with default $earliest$ and $latest$ drilldown tokens, which might be fixed in future release. Meanwhile try out the workaround provided by @emeelan [Splunk]

https://answers.splunk.com/answers/587132/drilldown-pass-the-earliest-and-latest-from-a-time.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!