Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need to use 2 time range pickers in a single query

sabari80
Explorer
‎10-24-2023 09:27 AM

I have a query to retrieve user experience metrics from Dynatrace index. Wanted to compare the response times for 2 different time frames. My query is having sub query as well. In the dashboard, i am having 2 time range pickers. Main query is picking the time range from time range picker1 and in the sub query using the token from time range picker2. 

<<main search>>

| appendcols
[ search index="dynatrace"  $tr_14AGuxUA.earliest$ - $tr_14AGuxUA.latest$

| spath |output=user_actions path="userActions{}"| stats count by user_actions

this is not retrieving any data from the sub query. how to fix this?

If i am passing the hard coded values - earliest=10/23/2023:10:00:00 latest=10/23/2023:11:00:00, then its working fine. 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-26-2023 03:35 AM

Wait a second. Whenever I see "compare" and "appendcols" in the same sentence I raise my brow questioningly. Remember that appendcols doesn't preserve any order between the two searches.

I'd probably go with single search with two timeframes limited with

<your search> (earliest=$main_picker.earliest$ latest=$main_picker.latest$) OR (earliest=$secondary_picker.earliest$ latest=$secondatry_picker.latest$)

Then you can classify, stats and whatever you want.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-24-2023 10:06 AM

Try something like this

search index="dynatrace"  [| makeresults | eval earliest=relative_time(now(),"$tr_14AGuxUA.earliest$"), latest=relative_time(now(),"$tr_14AGuxUA.latest$") | table earliest latest]
0 Karma
Reply

sabari80
Explorer
‎10-24-2023 10:19 AM

tried this and not getting any results for the sub query 

 

| appendcols
[ search index="dynatrace"  [| makeresults | eval earliest=relative_time(now(),"$tr_14AGuxUA.earliest$"), latest=relative_time(now(),"$tr_14AGuxUA.latest$") | table earliest latest]
| spath output=user_actions path="userActions{}"
| stats count by user_actions

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-25-2023 09:14 AM

What do you get from just doing the index search?

index="dynatrace"  [| makeresults | eval earliest=relative_time(now(),"$tr_14AGuxUA.earliest$"), latest=relative_time(now(),"$tr_14AGuxUA.latest$") | table earliest latest]

Also, what do the events look like, particularly the userActions object?

You may need to further "expand" the userActions{} object.

0 Karma
Reply

sabari80
Explorer
‎10-25-2023 10:45 AM

if i am using preset time frames (Ex: last 60 minutes), then getting -->2023-10-25T13:34:05.040-04:00

Relative (Ex: 30 Minutes Ago) --> 2023-10-25T13:37:03.206-04:00

Real time (Ex: 30 Minutes Ago) --> No search results returned

Date Range (Ex: since 10/24/2023) --> No search results returned

Date & Time Range (Ex: 10/24/2023 12AM - 10/24/2023 1AM) --> No search results returned

Advanced --> (Ex: Earliest=-1h@h Latest=@h) --> 2023-10-25T12:59:59.762-04:00

Here is the sample userActions{} object

userActions: [ [-]
{ [-]
apdexCategory: TOLERATING
application: xxxx
cdnBusyTime: null
cdnResources: 0
cumulativeLayoutShift: 0.0535
customErrorCount: 0
dateProperties: [ [+]
]
documentInteractiveTime: 4208
domCompleteTime: 4585
domContentLoadedTime: 4492
domain: xxxx
doubleProperties: [ [+]
]
duration: 4589
endTime: 1698253596232
firstInputDelay: 1
firstPartyBusyTime: 1618
firstPartyResources: 46
frontendTime: 1387
internalApplicationId: APPLICATION-99C2CEC2F57DD796
javascriptErrorCount: 0
keyUserAction: false
largestContentfulPaint: 3926
loadEventEnd: 4589
loadEventStart: 4588
longProperties: [ [+]
]
matchingConversionGoals: [ [+]
]
name: xxxx.aspx
navigationStart: 1698253591643
networkTime: 1235
requestErrorCount: 0
requestStart: 775
responseEnd: 3202
responseStart: 2742
serverTime: 1967
speedIndex: 3956
startTime: 1698253591643
stringProperties: [ [+]
]
targetUrl: xxxx.aspx
thirdPartyBusyTime: null
thirdPartyResources: 0
totalBlockingTime: null
type: Load
userActionPropertyCount: 0
visuallyCompleteTime: 4166

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-26-2023 01:52 AM

Please share the raw JSON rather than a formatted version so volunteers can try out solutions. Please use a code block </> to paste the raw JSON into to preserve the formatting from the original event.

0 Karma
Reply

sabari80
Explorer
‎10-24-2023 09:34 AM

If i use this in the sub query - earliest=$tr_14AGuxUA.earliest$ latest=$tr_14AGuxUA.latest$, then getting this error 

 

Invalid value "2023-10-16T14:00:00.000Z" for time term 'earliest'

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...