- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to display earliest and latest dates of search...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to display earliest and latest dates of searches in a dashboard and PDF report?
Hi,
How do you display the earliest and latest dates of the searches in a dashboard that is later rendered into a PDF report?
This report gets mailed out once a week and with no earliest and latest dates it is pretty tough to keep track of them.
Thank you
Joon
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If, like me, you don't want that information into a table but want to display it in some HTML or in the title of panels, edit the xml and locate the ... block. Witin it add a "done" clause like in this example:
<search>
<query> ... </query>
<earliest> ... </earliest>
<latest> ... </latest>
<done>
<eval token="earliest_token"> stftime( relative_time( now(), $job.request.earliest_time$ ), "%c" ) </eval>
<eval token="latest_token"> stftime( relative_time( now(), $job.request.latest_time$ ), "%c" ) </eval>
</done>
</search>
Then you can do things like:
<row>
<panel>
<html>
<p>Showing data from $earliest_token$ to $latest_token$.</p>
</html>
</panel>
</row>
There is many ways this can be tweaked to your preference, starting with the format you give to strftime. This example assumes that the earliest/latest are relative times such as "-7d@d" etc. You'll need to update the eval if they are epoch timestamps for instance.
Also, I'm using this with a base search at the top of the dashboard (outside any panel). If you're trying this with a search within a panel, I'm not a 100% sure the tokens will be available everywhere in the dashboard.
One slight annoyance with this solution is that the earliest/latest tokens are not populated until the search is done, but I haven't found how to avoid that. Works for me anyway.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately, that works for the dashboard but not for the scheduled PDF 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you could add a table showing the min and max _time, like that:
index=main | stats min(_time) AS startDate, max(_time) AS endDate | convert timeformat="%F %T" ctime(*Date)
Just add it as another element to the Dashboard in a table format.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
