Hi guys,
I am trying to show 2 tables - one for the time frame using a time-picker and one search for the same time frame but for 7 days ago.
Below is my query using field1 as my time picker.
Below is my "query" in my dashboard.
host="xxx-xxx-xxx" sourcetype="alarm_metric" ealiest=$field1.earliest$-86400m latest=$field1.ealiest$-86385m
| spath "Message.SourceApp" | search "Message.SourceApp"=xxxx | eval spath='Message.EventMessage' | rex field=spath "took (?P<elapsed>\S+)"
| eval elapsed = elapsed/1000 | table _time spath, host elapsed | eval ReportKey="This Time 7 Days Ago" | append [search host="xxx-xxx-xxx" sourcetype="alarm_metric" earliest=$field1.earliest$ latest=$field1.latest$
| spath "Message.SourceApp" | search "Message.SourceApp"=xxxx | eval spath='Message.EventMessage' | rex field=spath "took (?P<elapsed>\S+)" | eval elapsed = elapsed/1000 | table _time spath, host elapsed
| eval ReportKey="Today"] | chart count by elapsed span=1 ReportKey
I am using count and not timechart so cannot use timewrap as i want to show a count of response times 0-1, 2-3 and so on.
Thanks
Sean
The previous answer wanted you to have two searches, one for your panel, one that is separate from any panel and really just sets the tokens. For your panel search, something like this:
<query>host="xxx-xxx-xxx" sourcetype="alarm_metric" | spath "Message.SourceApp" | search "Message.SourceApp"=xxxx
| eval spath='Message.EventMessage' | rex field=spath "took (?P<elapsed>\S+)" | eval elapsed = elapsed/1000
| table _time spath, host elapsed | eval ReportKey="This Time 7 Days Ago" | append [search host="xxx-xxx-xxx" sourcetype="alarm_metric"
| spath "Message.SourceApp" | search "Message.SourceApp"=xxxx | eval spath='Message.EventMessage' | rex field=spath "took (?P<elapsed>\S+)" | eval elapsed = elapsed/1000
| table _time spath, host elapsed | eval ReportKey="Today"] | chart count by elapsed span=1 ReportKey</query>
<earliest>$earliest7$</earliest>
<latest>$latest7$</latest>
Note I moved $earliest7$
and $latest7$
out of the search string and into the earliest/latest fields below. But if you do need to use a token in a search string, you need to make sure it's surrounded by $
(on both sides). Your pasted XML had some instances of $
on only one side of the token name.
And then another search higher up in the dashboard to set the tokens:
<search id="set_time">
<query><![CDATA[| makeresults | addinfo | eval earliest7=info_min_time-7*24*3600, latest7=if(info_max_time="+Infinity", now()-7*24*3600, info_max_time-7*24*3600)]]></query>
<done>
<condition match="'job.resultCount' == 1">
<set token="earliest7">$result.earliest7$</set>
<set token="latest7">$result.latest7$</set>
</condition>
</done>
</search>
Consider referencing this recent answer I posted regarding how this may look as a complete XML example.
Hi micahkemp,
Thanks for the advice. However i can not actually get it work. Not sure what i am missing but i either get invalid start time or waiting for input when i am trying to get it to work.
Thanks
Sean
Can you paste the XML of your dashboard that is not working?
Hi micahkemp
This is what i have - which errors with invalid earliest time.
SM_Test
<query>
<![CDATA[| makeresults | addinfo | eval earliest7=info_min_time-7*24*3600, latest7=if(info_max_time="+Infinity", now()-7*24*3600, info_max_time-7*24*3600)]]>
</query>
<done>
<condition match="'job.resultCount' == 1">
<set token="earliest7">$result.earliest7$</set>
<set token="latest7">$result.latest7$</set>
</condition>
</done>
<input type="time" token="field1" searchWhenChanged="true">
<label></label>
<default>
<earliest>-15m</earliest>
<latest>now</latest>
</default>
</input>
<panel>
<table>
<title>xyz</title>
<search>
<query>host="xxx-xxx-xxx" sourcetype="alarm_metric" |spath "Message.SourceApp" | search "Message.SourceApp"=xyz | eval spath='Message.EventMessage' | rex field=spath "took (?P<elapsed>\S+)" | eval elapsed = elapsed/1000 | table _time spath, host elapsed | eval ReportKey="This Time 7 Days Ago" | append [search host="xxx-xxx-xxx" sourcetype="alarm_metric" $earliest$ $latest$ | spath "Message.SourceApp" | search "Message.SourceApp"=xyz | eval spath='Message.EventMessage' | rex field=spath "took (?P<elapsed>\S+)" | eval elapsed = elapsed/1000 | table _time spath, host elapsed | eval ReportKey="Today"] | chart count by elapsed span=1 ReportKey</query>
<earliest>$earliest7$</earliest>
<latest>$latest7$</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
Thanks
Sean
It seems to be a number of problems with earliest=$field1.earliest$-86400m latest=$field1.ealiest$-86385m
. First of all, you cannot subtract "86400m", because Splunk holds "86400m" as a string. It's better to use earliest=$field1.earliest$-86400
, without "m". Second, if you want to get "This Time 7 Days Ago", you should subtract 7*24*3600 = 604800, rather than 86400. At last, this notation fails if you select relative time in your initial time picker. In this case $field1.earliest$
equals to "-15m" or smth like that and it will be difficult to count "-15m-604800".
You can try the following workaround. Add a search on your dashboard with this query:
| makeresults | addinfo | eval earliest7=info_min_time-7*24*3600, latest7=if(info_max_time="+Infinity", now()-7*24*3600, info_max_time-7*24*3600)
$field1.earliest$
$field1.latest$
<set token="earliest7">$result.earliest7$</set>
<set token="latest7">$result.latest7$</set>
Then use tokens $field1.earliest$
and field1.latest
as earliest and latest bounds in "today" subsearch and use tokens $earliest7$
and $latest7$
as earliest and latest bounds in "7 days ago" subsearch.
Hi Nryabykh,
Thanks for the reply. tbh i tried it with and without the m and could not get it to play 😞
I have also tried to add your suggestions but without success. I have added my panel and start of the form:-
SM_Test
<input type="time" token="field1" searchWhenChanged="true">
<label></label>
<default>
<earliest>-15m</earliest>
<latest>now</latest>
</default>
</input>
<init>
<set token="earliest7">$result.$earliest7$</set>
<set token="latest7">$result.$latest7$</set>
</init>
<panel>
<table>
<title>Test App</title>
<search>
<query>makeresults | addinfo | eval earliest7=info_min_time-7*24*3600, latest7=if(info_max_time="+Infinity", now()-7*24*3600, info_max_time-7*24*3600)
host="xxx-xxx-xxx" sourcetype="alarm_metric" earliest=earliest7$ latest=latest7$ | spath "Message.SourceApp" | search "Message.SourceApp"=xxxx
| eval spath='Message.EventMessage' | rex field=spath "took (?P<elapsed>\S+)" | eval elapsed = elapsed/1000
| table _time spath, host elapsed | eval ReportKey="This Time 7 Days Ago" | append [search host="xxx-xxx-xxx" sourcetype="alarm_metric" earliest=$field1.earliest$ latest=$field1.latest$
| spath "Message.SourceApp" | search "Message.SourceApp"=xxxx | eval spath='Message.EventMessage' | rex field=spath "took (?P<elapsed>\S+)" | eval elapsed = elapsed/1000
| table _time spath, host elapsed | eval ReportKey="Today"] | chart count by elapsed span=1 ReportKey</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
Using the above i get an error stating "Search is waiting for input...."
Not sure where i am going wrong.
Thanks
Sean
Could there be a syntax error with the fact that there are 3 $ in the token setting expression?
$result.$earliest7$
Hi, Sean.
Sorry for bad formatting in my answer, I was confused a bit about text input controls here. Micahkemp represented it clearly in the answer below.
If your question was answered, please accept the answer you consider most valid/helpful, so this answer no longer appears open.
Hi nyabykh,
Even with it explained a little bit more i can not get either to work. I have tried various permutations of following both advice but either getting waiting for input or invalid start time.
Thanks
Sean