All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to display earliest and latest dates of searches in a dashboard and PDF report?

joonradley
Path Finder
‎09-04-2014 07:07 AM

Hi,

How do you display the earliest and latest dates of the searches in a dashboard that is later rendered into a PDF report?

This report gets mailed out once a week and with no earliest and latest dates it is pretty tough to keep track of them.

Thank you

Joon

Reply

gabriel_vasseur
Contributor
‎07-13-2016 07:26 AM

If, like me, you don't want that information into a table but want to display it in some HTML or in the title of panels, edit the xml and locate the ... block. Witin it add a "done" clause like in this example:

<search>
  <query> ... </query>
  <earliest> ... </earliest>
  <latest> ... </latest>
  <done>
    <eval token="earliest_token"> stftime( relative_time( now(), $job.request.earliest_time$ ),  "%c" ) </eval>
    <eval token="latest_token"> stftime( relative_time( now(), $job.request.latest_time$ ),  "%c" ) </eval>
  </done>
</search>

Then you can do things like:

<row>
  <panel>
    <html>
      <p>Showing data from $earliest_token$ to $latest_token$.</p>
    </html>
  </panel>
</row>

There is many ways this can be tweaked to your preference, starting with the format you give to strftime. This example assumes that the earliest/latest are relative times such as "-7d@d" etc. You'll need to update the eval if they are epoch timestamps for instance.

Also, I'm using this with a base search at the top of the dashboard (outside any panel). If you're trying this with a search within a panel, I'm not a 100% sure the tokens will be available everywhere in the dashboard.

One slight annoyance with this solution is that the earliest/latest tokens are not populated until the search is done, but I haven't found how to avoid that. Works for me anyway.

Reply

gabriel_vasseur
Contributor
‎07-13-2016 08:15 AM

Unfortunately, that works for the dashboard but not for the scheduled PDF 😞

0 Karma
Reply

musskopf
Builder
‎09-04-2014 05:13 PM

you could add a table showing the min and max _time, like that:

index=main | stats min(_time) AS startDate, max(_time) AS endDate | convert timeformat="%F %T" ctime(*Date)

Just add it as another element to the Dashboard in a table format.

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...