Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use eval on a token from a time picker and add it to a label for a chart?

KevinAdu
Explorer
‎12-15-2015 12:13 AM

In my Splunk Dashboard, I have a time picker and charts which shows a search for each subsequent day from the earliest time selected in the time picker.

I want to display a formatted date in a label for each chart. So for example:

Day 1 - 15/12/2015
Day 2 - 16/12/2015
Day 3 - 17/12/2015
etc

I understand that these dates can be derived from the time picker's token. Here is what I have attempted so far just for the first date but it does not seem to work:

<input type="time" token="InputTime">
      <label>TimePicker for SourceType</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <eval token="new_time">strptime($InputTime.earliest$, "%m/%d/%Y")</eval>
        <title>Day 1 - $new_time$</title>

Could anybody tell me what I am doing wrong?
Thanks

Reply
1 Solution
Solved! Jump to solution
Solution

JovanMilosevic
Path Finder
‎02-26-2016 04:06 AM

I know it's been a while, but might help someone else. Just been wrestling with similar problem. I've found that evals need to be inside the input block. Also, when tokens are used there, they need to be in single quotes. Finally, it's strftime rather than strptime. Try...

<input type="time" token="InputTime">
       <label>TimePicker for SourceType</label>
       <default>
         <earliest>-15m</earliest>
         <latest>now</latest>
       </default>
       <change>
         <eval token="new_time">strftime('InputTime.earliest', "%m/%d/%Y")</eval> 
       </change>
  </input>
   </fieldset>
   <row>
     <panel>
       <chart>
         <title>Day 1 - $new_time$</title>

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-12-2016 01:51 AM

Try to insert eval command in the search of a panel and then extract the token in the panel and show it in the panel's title.
But if you do this, you have to manage the showed columns to don't see the value in a column: in this case you have to use the <fields> option
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

JovanMilosevic
Path Finder
‎02-26-2016 04:06 AM

I know it's been a while, but might help someone else. Just been wrestling with similar problem. I've found that evals need to be inside the input block. Also, when tokens are used there, they need to be in single quotes. Finally, it's strftime rather than strptime. Try...

<input type="time" token="InputTime">
       <label>TimePicker for SourceType</label>
       <default>
         <earliest>-15m</earliest>
         <latest>now</latest>
       </default>
       <change>
         <eval token="new_time">strftime('InputTime.earliest', "%m/%d/%Y")</eval> 
       </change>
  </input>
   </fieldset>
   <row>
     <panel>
       <chart>
         <title>Day 1 - $new_time$</title>
Reply
Solved! Jump to solution

rmarcum
Explorer
‎07-11-2016 02:49 PM

Hi JovanMilosevic, did this indeed work for you? We are looking for your secret. (-: Please check question:

https://answers.splunk.com/answers/425146/simple-xml-dashboard-eval-strptime-using-old-value.html

Best Regards

0 Karma
Reply
Solved! Jump to solution

masonmorales
Influencer
‎12-17-2015 10:30 AM

I'm not sure if you can perform an eval on a time token to convert it to another time format... I know that you can do this though:

 <input type="time" token="InputTime">
       <label>TimePicker for SourceType</label>
       <default>
         <earliest>-15m</earliest>
         <latest>now</latest>
       </default>
     </input>
   </fieldset>
   <row>
     <panel>
       <chart>
         <title>Day 1 - $InputTime.earliest$ to $InputTime.latest$</title>
0 Karma
Reply
Solved! Jump to solution

KevinAdu
Explorer
‎12-20-2015 04:52 PM

Yeah but the issue is that will show it in the unix timestamp format. So I was hoping I could change it to make it more readable.

Where I saw the eval command being used that way was on this page:

http://docs.splunk.com/Documentation/Splunk/6.3.2/Viz/tokens

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...