Dashboards & Visualizations

How to dynamically generate time picker data from text input lookup csv

TheLawsOfChaos
Path Finder

Hello everyone!

Some background first :
Dashboard with many panels. Have a base search set up, and then using that for other searches on the dashboard.
I have a text input field called "source_url" and a text input field called "hits_csv". When the user of the dashboard enters in the source url, and a csv (with fields user, md5, url, epochtime, time) it then searches for all the panels.

I'm trying to automate some of the manual entry. I already have the dashboard reading in the 'url' field for the searches in the base search, by utilizing "[|inputlookup "$hits_csv$" | rename url as search]" in my search macro. Works amazing.

But now I'm trying to change the time picker's default earliest time to :

|inputlookup "$hits_csv$" | fields time (I was initially using epoch time, but saw the format needed for timepicker, so changed it to the proper format)

Only I don't see a way to give a search query to earliest (states Value node is not supposed to have children). I have also attempted to utilize change with the condition of * for the timepicker:

    <condition label="*">
      <set token="form.timepicker.earliest">([|inputlookup "$hits_csv$" | fields time])</set>
      <set token="form.timepicker.latest">relative_time([|inputlookup "$hits_csv$" | fields time]",+2d")</set>
    </condition>
  </change>

I've also tried to use eval instead of set.

If this was C or bash or python, I would declare a variable and assign it the result of my query, and then pass it along later. No idea how to do this here within this frame.

Also for added info, the query "|inputlookup "$hits_csv$" | fields time" will return "06/23/2017:12:48:17", so it should be the proper format for timepicker.

If this is unclear please let me know. I've tried to do research all over these forums, and I'm just not sure if I'm the first person to try this, or something is glaringly obviously wrong here.

I'm currently running Splunk 6.5.3.

0 Karma
1 Solution

woodcock
Esteemed Legend

Do it like this (assuming that the file contains time_t AKA epoch; if not convert from strftime to strptime on the opposite field):

<form>
  <label>Custom Time Picker</label>
  <description>Custom Time Picker</description>
  <fieldset autorun="false" submitButton="true">
    <input type="dropdown" token="earliestANDlatest" searchWhenChanged="false">
      <label>Start Time Selector</label>
      <fieldForLabel>humanTime</fieldForLabel>
      <fieldForValue>earliestANDlatest</fieldForValue>
      <search>
        <query>|inputlookup &quot;$hits_csv$&quot; | fields time | eval humanTime=strftime(time, &quot;%m/%d/%Y %H:%M:%S&quot;) | eval latest=earliest + (2*24*60*60) | eval earliestANDlatest = &quot;earliest=&quot; . time . &quot; latest=&quot; . latest | table humanTime earliestANDlatest</query>
        <earliest>-1s</earliest>
        <latest>now</latest>
      </search>
    </input>

Then in your panel search, start it with index=YourIndexHere $earliestANDlatest$ Other Stuff Here.

View solution in original post

0 Karma

woodcock
Esteemed Legend

Do it like this (assuming that the file contains time_t AKA epoch; if not convert from strftime to strptime on the opposite field):

<form>
  <label>Custom Time Picker</label>
  <description>Custom Time Picker</description>
  <fieldset autorun="false" submitButton="true">
    <input type="dropdown" token="earliestANDlatest" searchWhenChanged="false">
      <label>Start Time Selector</label>
      <fieldForLabel>humanTime</fieldForLabel>
      <fieldForValue>earliestANDlatest</fieldForValue>
      <search>
        <query>|inputlookup &quot;$hits_csv$&quot; | fields time | eval humanTime=strftime(time, &quot;%m/%d/%Y %H:%M:%S&quot;) | eval latest=earliest + (2*24*60*60) | eval earliestANDlatest = &quot;earliest=&quot; . time . &quot; latest=&quot; . latest | table humanTime earliestANDlatest</query>
        <earliest>-1s</earliest>
        <latest>now</latest>
      </search>
    </input>

Then in your panel search, start it with index=YourIndexHere $earliestANDlatest$ Other Stuff Here.

0 Karma

TheLawsOfChaos
Path Finder

Thanks Woodcock, ironically enough, I thought of a new idea and solved it roughly an hour after I posted this request.

I ended up working with a hidden dropdown, that runs the search query similar to yours, and then use that token for the default time. Also made the hidden dropdown be dependent on the CSV field.

I can post the code when I get back to work Monday, if we want to keep it for posterity's sake of other people searching for this.

0 Karma

woodcock
Esteemed Legend

It sounds interesting and probably more flexible than my solution but also much more complicated; do post it. Did you try mine?

0 Karma

TheLawsOfChaos
Path Finder

Sadly I left work a few hours ago (I'm in CET timezone) so I haven't tried your's yet. I'll try it on Monday, as well as share my code then when I have access to my system at work.

0 Karma

TheLawsOfChaos
Path Finder

So first I have a hidden dropdown that does the query for me :

  <label>field1</label>
  <selectFirstChoice>true</selectFirstChoice>
  <search>
    <query>| inputlookup "$hits_csv$" | fields epochtime</query>
    <earliest>0</earliest>
    <latest>now</latest>
  </search>
  <fieldForValue>epochtime</fieldForValue>
</input>

Since it's hidden, users will never see it. And for my search base, I utilize:

  <earliest>$earlytime$</earliest>
     <latest>now</latest>

So my normal timepicker defaults to -7d@h, so before I enter any csv names in, it defaults to 7 days ago, but once you enter in a csv and hit enter, it completes all the searches based upon the epoch time in the csv.

When I generate the csv, I'm actually generating a human readable format and the epoch time (wasn't sure initially which Splunk preferred) so luckily I don't have to translate anything.

All in all, I'm using the hidden dropdown as a variable.

<selectFirstChoice>true</selectFirstChoice>

That makes it possible, in that it will always pick the first choice, and I only compute the time once in the csv, so easy peasy!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...