Dashboards & Visualizations

How to control earliest and latest in the search string using forms in XML?

HattrickNZ
Motivator

i have the following search in my xml:

index= ... earliest=-20d@d latest=+d@d | timechart ...  | timewrap ...

How do I control the search using a form? I basically want to be able to control this earliest=-20d@d latest=+d@d and I only want to increase the value 20 up or down. Maybe I should use some other type of form control?

This is my 1st attempt:

<label>Timeframe</label>
<default>
  <earliestTime>-20d</earliestTime>
  <latestTime>now</latestTime>
</default>
0 Karma
1 Solution

ngatchasandra
Builder

Hi HatNZ,

If i undertanded well your task, try with xml code that follow: with this, you can specify either -20d ,-30d or more in the input text. It work fine!
Try to run it!

<form>
      <label>time</label>
      <fieldset submitButton="true">

        <input type="text" token="time_tok">
          <label>Specify a time</label>
          <default>-20d</default>
        </input>
      </fieldset>
      <row>
        <panel>
          <table>
            <search>
              <query>index=_internal | stats count by sourcetype |head 10</query>
              <earliest>$time_tok$</earliest>
              <latest>now</latest>
            </search>
          </table>
        </panel>
      </row>
    </form>

View solution in original post

stephane_cyrill
Builder

Hi ,
As you have adapted your code,if it produce no error it is ok. now try this:
1- create an input for integer .
2-use the input token like this:

index= ... earliest=-$time_tok$d@d
latest=+d@d | timechart ... |
timewrap ...

3- you can even remove "earliest=-" and "d@d" and put them in fieldset as token prefix and token suffix.
the query will now be:

index= ... $time_tok$
latest=+d@d | timechart ... |
timewrap ...

0 Karma

ngatchasandra
Builder

Hi HatNZ,

If i undertanded well your task, try with xml code that follow: with this, you can specify either -20d ,-30d or more in the input text. It work fine!
Try to run it!

<form>
      <label>time</label>
      <fieldset submitButton="true">

        <input type="text" token="time_tok">
          <label>Specify a time</label>
          <default>-20d</default>
        </input>
      </fieldset>
      <row>
        <panel>
          <table>
            <search>
              <query>index=_internal | stats count by sourcetype |head 10</query>
              <earliest>$time_tok$</earliest>
              <latest>now</latest>
            </search>
          </table>
        </panel>
      </row>
    </form>

HattrickNZ
Motivator

tks, I adapted that to do something like this.


<input type="text" token="time_tok">
<label>Specify a time</label>
<default>-20d@d</default>
</input>

index= ... earliest=$time_tok$ latest=+d@d | timechart ... | timewrap ...

this way i am controlling from earliest=$time_tok$ part using the input

0 Karma

ngatchasandra
Builder

what do you want now? Are you satisfy?

0 Karma

stephanefotso
Motivator

Here is an example:

<form >
  <label>Single Value Customization: Panel Color</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="time" searchWhenChanged="true">
      <label/>
      <default>
        <earliestTime>0</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>
    <input type="dropdown" token="index" searchWhenChanged="true">
      <label>Choose one index</label>
      <choice value="*">All</choice>
      <populatingSearch fieldForLabel="index" fieldForValue="index">| eventcount summarize=false index=* OR index=_*</populatingSearch>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <single id="id1">
      <title>Count of all events in index=$index$</title>
      <searchString>index=$index$ OR index=_$index$|stats count</searchString>
      <earliestTime>$time.earliest$</earliestTime>
      <latestTime>$time.latest$</latestTime>
      <option name="field">count</option>
      <option name="beforeLabel">There is</option>
      <option name="afterLabel">Total Events</option>
      <option name="underLabel">All events</option>
    </single>

  </row>
</form>
SGF
0 Karma

HattrickNZ
Motivator

I speciffically want to be able to control this in the search earliest=-20d@dchanging it to this earliest=-30d@d or this earliest=-40d@d for example. Maybe i am taking the wrong approach.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...