Dashboards & Visualizations

How to add a day to the time token in a search string and only have it affect one of the dashboard panels?

caulfiel005
Explorer

I have a file that keeps a 30 day average of values, which does not have a date field in it. Splunk is getting the date from the day the file was created, but this means the data is a day old, which is correct. However, I have a dashboard with multiple panels and a time picker which is thrown off by this. For example, the default is yesterday. The time token reflects this, and the search uses that value to look for data. But then the data it finds for yesterday is actually two days old. So, I want the search to use today's file to find yesterday's data, which I tried to accomplish by adding one day to the time token with one day added:

<earliest>$field1.earliest$+1d</earliest>
<latest>latest+1d</latest>

and the eval command:

|eval latest=case($field1.latest$ == now, "@d", 1==1, "$field1.latest$")

This was supposed to (in my mind) point the search to the file created the day after the day which was requested, giving the illusion of reading in the correct data for the date which was input by the user. This seems to be fine except where the latest time is 'now', in which case I get the error message:
Invalid latest_time: latest_time must be after earliest_time.

I tried using the actual token ($field1.earliest$) in place of my 'latest' field for <latestTime>, and I get the message:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '@d == now, "@d", 1==1, "@d")'.

which I think means the actual eval case statement is broken. Maybe eval can't use things like '@d' as parameters?

Any ideas on how I can read in the data for the day the dashboard user picked? So if the date July 6th is chosen, that would be data from the file created on July 7th, etc.

jeffland
SplunkTrust
SplunkTrust

You need this in your fieldset:

<input type="time" token="time_tok">
  <change>
    <eval token="time_tok_plusOneDay.earliest">if(isnum('time_tok.earliest'), relative_time('time_tok.earliest', "+1d"), relative_time(relative_time(now(), 'time_tok.earliest'), "+1d")</eval>
    <eval token="time_tok_plusOneDay.latest">if(isnum('time_tok.latest'), relative_time('time_tok.latest', "+1d"), relative_time(relative_time(now(), 'time_tok.latest'), "+1d")</eval>
  </change>
</input>

See this example dashboard:

<form>
  <label>_temp</label>
  <fieldset submitButton="false">
    <input type="time" token="time_tok">
      <label></label>
      <default>
        <earliest>-1d@d</earliest>
        <latest>@d</latest>
      </default>
      <change>
        <eval token="time_tok_plusOneDay.earliest">if(isnum('time_tok.earliest'), relative_time('time_tok.earliest', "+1d"), relative_time(relative_time(now(), 'time_tok.earliest'), "+1d")</eval>
        <eval token="time_tok_plusOneDay.latest">if(isnum('time_tok.latest'), relative_time('time_tok.latest', "+1d"), relative_time(relative_time(now(), 'time_tok.latest'), "+1d")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
          <p>time_tok.earliest = $time_tok.earliest$</p>
          <p>time_tok.latest = $time_tok.latest$</p>
          <p>time_tok_plusOneDay.earliest = $time_tok_plusOneDay.earliest$</p>
          <p>time_tok_plusOneDay.latest = $time_tok_plusOneDay.latest$</p>
        </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults | addinfo | eval foo="I run from ".strftime(info_min_time, "%F %T")." to ".strftime(info_max_time, "%F %T") | table foo</query>
          <earliest>$time_tok_plusOneDay.earliest$</earliest>
          <latest>$time_tok_plusOneDay.latest$</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...