Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need to use 2 time range pickers in a single query

sabari80
Explorer
‎10-24-2023 09:27 AM

I have a query to retrieve user experience metrics from Dynatrace index. Wanted to compare the response times for 2 different time frames. My query is having sub query as well. In the dashboard, i am having 2 time range pickers. Main query is picking the time range from time range picker1 and in the sub query using the token from time range picker2. 

<<main search>>

| appendcols
[ search index="dynatrace"  $tr_14AGuxUA.earliest$ - $tr_14AGuxUA.latest$

| spath |output=user_actions path="userActions{}"| stats count by user_actions

this is not retrieving any data from the sub query. how to fix this?

If i am passing the hard coded values - earliest=10/23/2023:10:00:00 latest=10/23/2023:11:00:00, then its working fine. 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-26-2023 03:35 AM

Wait a second. Whenever I see "compare" and "appendcols" in the same sentence I raise my brow questioningly. Remember that appendcols doesn't preserve any order between the two searches.

I'd probably go with single search with two timeframes limited with

<your search> (earliest=$main_picker.earliest$ latest=$main_picker.latest$) OR (earliest=$secondary_picker.earliest$ latest=$secondatry_picker.latest$)

Then you can classify, stats and whatever you want.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-24-2023 10:06 AM

Try something like this

search index="dynatrace"  [| makeresults | eval earliest=relative_time(now(),"$tr_14AGuxUA.earliest$"), latest=relative_time(now(),"$tr_14AGuxUA.latest$") | table earliest latest]
0 Karma
Reply

sabari80
Explorer
‎10-24-2023 10:19 AM

tried this and not getting any results for the sub query 

 

| appendcols
[ search index="dynatrace"  [| makeresults | eval earliest=relative_time(now(),"$tr_14AGuxUA.earliest$"), latest=relative_time(now(),"$tr_14AGuxUA.latest$") | table earliest latest]
| spath output=user_actions path="userActions{}"
| stats count by user_actions

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-25-2023 09:14 AM

What do you get from just doing the index search?

index="dynatrace"  [| makeresults | eval earliest=relative_time(now(),"$tr_14AGuxUA.earliest$"), latest=relative_time(now(),"$tr_14AGuxUA.latest$") | table earliest latest]

Also, what do the events look like, particularly the userActions object?

You may need to further "expand" the userActions{} object.

0 Karma
Reply

sabari80
Explorer
‎10-25-2023 10:45 AM

if i am using preset time frames (Ex: last 60 minutes), then getting -->2023-10-25T13:34:05.040-04:00

Relative (Ex: 30 Minutes Ago) --> 2023-10-25T13:37:03.206-04:00

Real time (Ex: 30 Minutes Ago) --> No search results returned

Date Range (Ex: since 10/24/2023) --> No search results returned

Date & Time Range (Ex: 10/24/2023 12AM - 10/24/2023 1AM) --> No search results returned

Advanced --> (Ex: Earliest=-1h@h Latest=@h) --> 2023-10-25T12:59:59.762-04:00

Here is the sample userActions{} object

userActions: [ [-]
{ [-]
apdexCategory: TOLERATING
application: xxxx
cdnBusyTime: null
cdnResources: 0
cumulativeLayoutShift: 0.0535
customErrorCount: 0
dateProperties: [ [+]
]
documentInteractiveTime: 4208
domCompleteTime: 4585
domContentLoadedTime: 4492
domain: xxxx
doubleProperties: [ [+]
]
duration: 4589
endTime: 1698253596232
firstInputDelay: 1
firstPartyBusyTime: 1618
firstPartyResources: 46
frontendTime: 1387
internalApplicationId: APPLICATION-99C2CEC2F57DD796
javascriptErrorCount: 0
keyUserAction: false
largestContentfulPaint: 3926
loadEventEnd: 4589
loadEventStart: 4588
longProperties: [ [+]
]
matchingConversionGoals: [ [+]
]
name: xxxx.aspx
navigationStart: 1698253591643
networkTime: 1235
requestErrorCount: 0
requestStart: 775
responseEnd: 3202
responseStart: 2742
serverTime: 1967
speedIndex: 3956
startTime: 1698253591643
stringProperties: [ [+]
]
targetUrl: xxxx.aspx
thirdPartyBusyTime: null
thirdPartyResources: 0
totalBlockingTime: null
type: Load
userActionPropertyCount: 0
visuallyCompleteTime: 4166

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-26-2023 01:52 AM

Please share the raw JSON rather than a formatted version so volunteers can try out solutions. Please use a code block </> to paste the raw JSON into to preserve the formatting from the original event.

0 Karma
Reply

sabari80
Explorer
‎10-24-2023 09:34 AM

If i use this in the sub query - earliest=$tr_14AGuxUA.earliest$ latest=$tr_14AGuxUA.latest$, then getting this error 

 

Invalid value "2023-10-16T14:00:00.000Z" for time term 'earliest'

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...