I am trying to bring future data into a dashboard which include events from this week's Friday 17:00 UTC until next week same day same hour, but I don't get any valid results whatsoever, in 2 test cases:
I have declared 4 tokens:
<eval token="earliest_default">relative_time(now() , "+1w@w5+17h")</eval> <eval token="latest_default">relative_time(now() , "+7d@d+17h")</eval>
<eval token="time_from">relative_time(now(),"+1w@w+17h")</eval> <eval token="time_to">relative_time(now(),"+7d@d+17h")</eval>
And queried a search which evaluates the time for a week's span: (TEST1)
<search> <query>index="xxx_index" | head 1 | eval thisFriday17 =if( strftime(now(),"%w")=="5",relative_time(now() , "+1w@w+17h"), relative_time(now() , "+7d@d+17h")) | eval nextFriday17 = relative_time(thisFriday17 , "+7d@d+17h") | eval filterFrom = case( "$xxx_presetTime$"=="This Friday 17:00 UTC - Next Week Friday 17:00 UTC", thisFriday17 , "$xxx_presetTime$"=="custom" , $time_from$ ) | eval filterTo = case( "$xxx_presetTime$"=="This Friday 17:00 UTC - Next Week Friday 17:00 UTC", nextFriday17, "$xxx_presetTime$"=="custom" , $time_to$ ) | eval filterFrom_label = strftime(filterFrom,"%d-%m-%Y- %H:%M:%S") | eval filterTo_label = strftime(filterTo,"%d-%m-%Y- %H:%M:%S") | table filterFrom , filterTo,filterFrom_label,filterTo_label</query> <earliest></earliest> <latest></latest> <done> <set token="from_drill">$result.filterFrom$</set> <set token="to_drill">$result.filterTo$</set> <set token="filterFrom_label">$result.filterFrom_label$</set> <set token="filterTo_label">$result.filterTo_label$</set> </done> </search>
The main issue is that no data is displayed even if it should be. Changing the span ruins the results, meaning that Splunk brings data from the LAST Friday until THIS Friday, not from THIS Friday to the upcoming one or 2 weeks
Working in the Advanced Time Span filter and selecting the above throws "The earliest time is invalid"
TEST2
A working code I brought up is the following, but the results captured are from the LAST Friday until THIS Friday, not from THIS Friday to the upcoming 2 weeks. Reducing the time span from the below breaks the code. This broke me too.
| eval thisFriday17 =if( strftime(now(),"%w")=="5",relative_time(now() , "@w5+17h"), relative_time(now() , "+1w@w5+17h")) | eval next2Friday17 =if( strftime(now(),"%w")=="5",relative_time(now() , "@w5+14d+17h"), relative_time(now() , "+1w@w5+14d+17h")) | eval filterFrom = case( "$xxx_presetTime$"=="This Friday 17:00 UTC - Next 2 Weeks Friday 17:00 UTC", thisFriday17 , "$xxx_presetTime$"=="custom" , $time_from$ ) | eval filterTo = case( "$xxxx_presetTime$"=="This Friday 17:00 UTC - Next 2 Weeks Friday 17:00 UTC", next2Friday17, "$xxx_presetTime$"=="custom" , $time_to$ ) | eval filterFrom_label = strftime(filterFrom,"%d-%m-%Y- %H:%M:%S") | eval filterTo_label = strftime(filterTo,"%d-%m-%Y- %H:%M:%S") | table filterFrom , filterTo,filterFrom_label,filterTo_label
I must mention that the user is not able to change the Preset Time Span I am forcing:
<input type="dropdown" token="xxx_presetTime" searchWhenChanged="true"> <label>Preset Time Span</label> <choice value="This Friday 17:00 UTC - Next Week Friday 17:00 UTC">This Friday 17:00 UTC - Next Week Friday 17:00 UTC</choice>
Hope I am being clear in exposing my issue. Thanks in advance for your help!
... View more