Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to add to or subtract one hour to time tokens to be passed in a drilldown?

jravida
Communicator
‎02-25-2016 01:53 PM

Hi folks,

I'm running the transaction command in a drilldown panel that passes the times picked on the timechart down to the next panel as tokens. The problem I run into is where the transactions don't fall within the hour slice, I want the token to subtract an hour from the earliest time, and add an hour to the latest, so I can encompass the transaction.

I tried $earliest_time$ - 1h

Splunk says "Invalid earliest_time"

Is there a way to offset the tokens this way?

0 Karma
Reply

hopnscotch
Path Finder
‎06-29-2016 10:49 AM

Did you ever find a solution to this?

I've tried so many combinations of 'possible solutions' I've seen posted, but none of them have worked for me.

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎02-26-2016 08:20 AM

You could change your token before it is consumed by the search. Do this in your drilldown:

    <eval token="time_tok_plus_1h_earliest">relative_time(relative_time(now(), 'earliest'), "+1h")</eval>
    <eval token="time_tok_plus_1h_latest">relative_time(relative_time(now(), 'latest'), "+1h")</eval>

Replace earliest and latest with wherever your values come from, e.g. click.value.

Reply

somesoni2
Revered Legend
‎02-25-2016 03:47 PM

I guess the earliest and latest value that you get from the drilldown will in epoch, so try one of these in the drilldown search

your base search earliest=($earliest_time$-3600) ...rest of the search

OR 

your base search [| gentimes start=-1 |eval earliest=$earliest_time$-3600 | table earliest ]
0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...