Splunk Search

simple xml dashboard eval strptime using old value not updated value for timepicker

mortenb123
Path Finder

Hi

In my dashboard I have a lot of the following timestamps
at the beginning of I have a timepicker

<input type="time" token="field1" searchWhenChanged="true">
      <label>Time Intervall</label>
      <default>
        <earliest>-6h@h</earliest>
        <latest>@h</latest>
      </default>
      <change>
        <eval token="time1">strftime(relative_time(now(),$field1.earliest$),"%c")</eval>
        <eval token="time2">strftime(relative_time(now(),$field1.latest$),"%c")</eval>
      </change>
  </input>

This is documented in:
http://docs.splunk.com/Documentation/Splunk/6.3.2/Viz/tokens#Access_labels_and_values_of_form_inputs

Giving the following results:

Signing successful for merchant 12025 June 22, 2016 12:00 AM to July 2, 2016 12:00 AM

The problem is:
When opening dashboard it does not pick default, it just seem to have two based on now():

Signing successful for merchant 65536 July 1, 2016 12:38 PM to July 1, 2016 12:38 PM

If I change any of the merchant or resolution dropdowns I get the correct timestamp.

But if I change the timepicker which uses the timepicker applet. it is not cached up, showing no changes.

If I change any of the other dropdowns the change is picked up.

0 Karma

rmarcum
Explorer

Here is the answer, finally!! Only "earliest" and "latest" should be used without the token name prefix....sigh. And, this user shows success with the single quote, not the $.

https://answers.splunk.com/answers/391250/why-does-timepicker-have-oldlag-context-data-durin.html

0 Karma

woodcock
Esteemed Legend

Your stuff is overriding the timepicker function (and breaking it). Why are you doing all that crazy extra work? Just do it normal, like this:

<form>
  <label>My Splunk Form</label>
  <description>Don't get fancy, just get it done.</description>
  <fieldset autoRun="true" submitButton="false">
    <input type="time" token="time_tok1" searchWhenChanged="true">
      <label>My Splunk Timepicker</label>
      <default>Last 6 hours</default>
    </input>
  </fieldset>
  <row>
      <chart>
        <title>My Splunk Dashboard Panel</title>
        <searchString>My Search Goes Here</searchString>
        <earliestTime>$time_tok1.earliest$</earliestTime>
        <latestTime>$time_tok1.latest$</latestTime>

This does not show the rest of the XML (there is more) but this is just the part (from the top of the XML file) that matters.

0 Karma

rmarcum
Explorer

I am having this same issue, with a slightly different "relative_time", which I doubt is relevant. IMHO, we need a closer look at this question and the documentation.

(1) It "feels" like the sequencing of the timepicker during a dashboard opening, or filter setting change, is not aligned with the dashboard level eval at this location in the XML. Something is not triggering it. FYI, I have the same issues as mortenb123. I have tried many combinations of autoRun, submitButton, and searchWhenChanged, but I get this same issue.

(2) Also, it seems like the epoch time that goes to this "dashboard eval" token is 86400 seconds off of the epoch time contained in the "field1.*est" tokens being passed--e.g., pass the original value straight through this eval path to see this happening. Maybe this has something to do with the documentation cautioning us regarding the following for "dashboard evals", which, actually, I do not understand the point, i.e.:

relative_time(X,Y): Uses client time zone.
strftime(X,Y): Uses client time zone.
strptime(X,Y): Uses client time zone.

(3) Please note the following answer, which indicates success by JovanMilosevic, where we are led to understand that the "dashboard eval" should be within the timepicker "

0 Karma

rmarcum
Explorer

Got truncated, so, it looks like the XML angle brackets are not allowed in this text?...continuing

(3) Please note the following answer, which indicates success by JovanMilosevic, where we are led to understand that the "dashboard eval" should be within the timepicker "... input..." using the "...change..." delimiter:

https://answers.splunk.com/answers/334498/how-to-use-eval-on-a-token-from-a-time-picker-and.html

This issue smacks of a bug, but hopefully instead is something simple we are overlooking. Indeed, this "dashboard eval" for a time picker is suppose to work exactly as being used by mortenb123.

I have been staring at this and testing for hours, but no new results. I am using Splunk v6.3.4 build cae2458f4aef.

Regards.
rmarcum

0 Karma

woodcock
Esteemed Legend

Put your XML in after a blank line and then indented by 4 spaces.

0 Karma

rmarcum
Explorer

OK, tried that--i.e., blank line = no spaces in the line. Then, pasted in XML with "change" tags having 4 spaces indents and "eval" tags having 6 spaces indents. No change in results. Added blank line after for kicks since I do not know the objective here, with no change in results. Any hints as to your focus here?

BTW, I do observe the same date duplication for start/end at times as seen by mortenb123

Also, let me share a few more items/observations:

(4) The new token(s) from the "dashboard eval" is/are being used in HTML text on subsequent panels, and in panel titles, to show human readable time and epoch time (display of the latter date format is never a problem). This is a user feature I can obviously discard, but disappointing something this simple cannot be achieved.

(5) When the dashboard is first opened, the "dashboard eval" token shows "Invalid date". Setting the same default date on the timepicker causes the "dashboard eval" tokens to refresh and display the correct values.

(6) Changing the timepicker to another date is ignored by the "dashboard eval" token display, but not the epoch display. FYI, another action that causes the human readable time to show correctly on the dashboard panels is to toggle "Edit Panels" ON. When the time shows correctly, click "Done".

(7) Regading the #2 issue I mentioned above, I am simply adjusting for PDT Vs GMT in my eval. This seems to fix it, if we just look at the date and not time, but it makes no sense to me and is hardwired for the current daylight time as follows:

...eval...token="start_time"....strftime(relative_time(‘time01.earliest’,"-7h@h"),"%B %d, %Y %I:%M:%S %p %z")

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...