How to add a day to the time token in a search str...

caulfiel005 · ‎07-07-2015

I have a file that keeps a 30 day average of values, which does not have a date field in it. Splunk is getting the date from the day the file was created, but this means the data is a day old, which is correct. However, I have a dashboard with multiple panels and a time picker which is thrown off by this. For example, the default is yesterday. The time token reflects this, and the search uses that value to look for data. But then the data it finds for yesterday is actually two days old. So, I want the search to use today's file to find yesterday's data, which I tried to accomplish by adding one day to the time token with one day added:

<earliest>$field1.earliest$+1d</earliest>
<latest>latest+1d</latest>

and the eval command:

|eval latest=case($field1.latest$ == now, "@d", 1==1, "$field1.latest$")

This was supposed to (in my mind) point the search to the file created the day after the day which was requested, giving the illusion of reading in the correct data for the date which was input by the user. This seems to be fine except where the latest time is 'now', in which case I get the error message:
Invalid latest_time: latest_time must be after earliest_time.

I tried using the actual token ($field1.earliest$) in place of my 'latest' field for <latestTime>, and I get the message:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '@d == now, "@d", 1==1, "@d")'.

which I think means the actual eval case statement is broken. Maybe eval can't use things like '@d' as parameters?

Any ideas on how I can read in the data for the day the dashboard user picked? So if the date July 6th is chosen, that would be data from the file created on July 7th, etc.

jeffland · ‎10-20-2017

You need this in your fieldset:

<input type="time" token="time_tok">
  <change>
    <eval token="time_tok_plusOneDay.earliest">if(isnum('time_tok.earliest'), relative_time('time_tok.earliest', "+1d"), relative_time(relative_time(now(), 'time_tok.earliest'), "+1d")</eval>
    <eval token="time_tok_plusOneDay.latest">if(isnum('time_tok.latest'), relative_time('time_tok.latest', "+1d"), relative_time(relative_time(now(), 'time_tok.latest'), "+1d")</eval>
  </change>
</input>

See this example dashboard:

<form>
  <label>_temp</label>
  <fieldset submitButton="false">
    <input type="time" token="time_tok">
      <label></label>
      <default>
        <earliest>-1d@d</earliest>
        <latest>@d</latest>
      </default>
      <change>
        <eval token="time_tok_plusOneDay.earliest">if(isnum('time_tok.earliest'), relative_time('time_tok.earliest', "+1d"), relative_time(relative_time(now(), 'time_tok.earliest'), "+1d")</eval>
        <eval token="time_tok_plusOneDay.latest">if(isnum('time_tok.latest'), relative_time('time_tok.latest', "+1d"), relative_time(relative_time(now(), 'time_tok.latest'), "+1d")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
          <p>time_tok.earliest = $time_tok.earliest$</p>
          <p>time_tok.latest = $time_tok.latest$</p>
          <p>time_tok_plusOneDay.earliest = $time_tok_plusOneDay.earliest$</p>
          <p>time_tok_plusOneDay.latest = $time_tok_plusOneDay.latest$</p>
        </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults | addinfo | eval foo="I run from ".strftime(info_min_time, "%F %T")." to ".strftime(info_max_time, "%F %T") | table foo</query>
          <earliest>$time_tok_plusOneDay.earliest$</earliest>
          <latest>$time_tok_plusOneDay.latest$</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

How to add a day to the time token in a search string and only have it affect one of the dashboard panels?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms