Splunk Search

time token conversion and displaying in title

mortenb123
Path Finder

Hi All

How do I get $time1$ and $time2$to display in my panel title?
I've also tried with strftime(), but without success, I mostly worked with snapped timestamps,

  <fieldset submitButton="false">
    <input type="time" token="field1" searchWhenChanged="true">
      <label>Timeintervall</label>
      <default>
        <earliest>-2d@d</earliest>
        <latest>-1d@d</latest>
      </default>
      <change>
        <eval token="time1">relative_time(now(),"$field1.earliest$")</eval>
        <eval token="time2">relative_time(now(),"$field1.latest$")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>ID&amp;Payment app Successful $time1$ to $time2$</title>

It will only show either "" 0 or just show the variable.

Thanks

Tags (2)
0 Karma
1 Solution

chimell
Motivator

Hi
I rectified just copy the search code below and test in your splunk web . It works well

<form>
<fieldset submitButton="false">
     <input type="time" token="field1" searchWhenChanged="true">
       <label>Timeintervall</label>
       <default>
         <earliest>-2d@d</earliest>
         <latest>-1d@d</latest>
       </default>
       <change>
         <eval token="time1">relative_time(now(),"-2d@d")</eval>
         <eval token="time2">relative_time(now(),"-1d@d")</eval>
       </change>
     </input>
   </fieldset>
   <row>
     <panel>
       <table>
         <title>Payment app Successful $time1$ to $time2$</title>

         <searchString>index=_internal|stats count by user</searchString>
         <earliestTime>$time1$</earliestTime>
         <latestTime>$time2$</latestTime>
       </table>
     </panel>
      </row>
     </form>

Look at the result

alt text

View solution in original post

chimell
Motivator

Hi
I rectified just copy the search code below and test in your splunk web . It works well

<form>
<fieldset submitButton="false">
     <input type="time" token="field1" searchWhenChanged="true">
       <label>Timeintervall</label>
       <default>
         <earliest>-2d@d</earliest>
         <latest>-1d@d</latest>
       </default>
       <change>
         <eval token="time1">relative_time(now(),"-2d@d")</eval>
         <eval token="time2">relative_time(now(),"-1d@d")</eval>
       </change>
     </input>
   </fieldset>
   <row>
     <panel>
       <table>
         <title>Payment app Successful $time1$ to $time2$</title>

         <searchString>index=_internal|stats count by user</searchString>
         <earliestTime>$time1$</earliestTime>
         <latestTime>$time2$</latestTime>
       </table>
     </panel>
      </row>
     </form>

Look at the result

alt text

mortenb123
Path Finder

Thanks, is it possible to then drop the first part, the field1 token and only use time1 and time2. Because the first one is not used.

0 Karma

mortenb123
Path Finder

Anyone have a workaround, or solution here. in earlier versions of Splunk the timepicker wrote the iso timerange when the picker could not snap it.
I have lots of boards and it is very irritating that I cant write the timerange properly other than showing the snap values.

0 Karma
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...