Dashboards & Visualizations

Dynamically add a day to latest time?

dreamwork801
Path Finder

I am changing the Simple XML for a drilldown to go to another panel on my dashboard.
Currently there is a linegraph and you can click on any point to see more information about it, but I want to bring the dates with it. I can easily set the earliest date to the date that is on the chart, but obviously if I also set the latest date as the same date on the chart, nothing will show up, because Splunk includes the time in the date as well.

So the drilldown XML code looks like this

<drilldown>
    <link>
      <![CDATA[ request_stats?form.sourcetype=$click.name2$&early=$click.value$&form.team=$team$&form.app=$app$ ]]>
    </link>
  </drilldown>

And the search I'm running takes in the time like this:

"Name" = "$form.sourcetype$" earliest=$early$ [search "AppName" = "Master" "Status" = "500" | fields + ContextId]

And I want to enter the latest time as something like latest=earliest+1d
With the idea in mind that if earliest is set to July 18th 2014 at midnight, then latest would be set to July 19th 2014 at midnight

Or if I could set it in the URL for the drilldown, I just don't know how to do either. Feel free to ask a question for clarification on what I said above

1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try this

Name="$form.sourcetype$" earliest=$early$ latest=[|gentimes start=-1 | eval t=relative_time($early$,"+d")| return $t][search AppName="Master" Status=500 | fields ContextId]

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try this

Name="$form.sourcetype$" earliest=$early$ latest=[|gentimes start=-1 | eval t=relative_time($early$,"+d")| return $t][search AppName="Master" Status=500 | fields ContextId]

dreamwork801
Path Finder

That worked perfectly! Thank you

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

That $t may throw off the dashboard, you'll need to escape it with another dollar sign.

martin_mueller
SplunkTrust
SplunkTrust

You could do this:

Name="$form.sourcetype$" earliest=$early$ latest=`relative_time($early$, "+d")` [search AppName="Master" Status=500 | fields ContextId]

That's an eval-based macro (Settings -> Advanced Search -> Macros) you need to define as relative_time(2) with two parameters time,relative and this body:

 relative_time($time$, "$relative$")
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You should take a look at getting the macro to work - it'll be miles faster than launching an entire subsearch just to do a tiny calculation.

You know the search for AppName="Master" isn't affected by the outer earliest and latest, right?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Check the relevant part of your macros.conf if it looks like this:

[relative_time(2)]
args = time,relative
definition = relative_time($time$, "$relative$")
iseval = 1

Also make sure you have the appropriate backticks around the macro call:

... latest=`relative_time($early$, "+d")` ...
0 Karma

dreamwork801
Path Finder

I'm getting an invalid value "relative_time" for time term 'latest'

I put relative_time(2) as the name
I put time,relative as arguments (it wouldn't let me use $ signs)
I put relative_time($time$, "$relative$") in the definition

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...