- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- How to show one set of reports if a user selects 1...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there anyway to determine the amount of time selected from a time picker? For example, if a user selected 1 day or less, I would like to show one set of reports, but if a user selects more than 1 day, I would like to show a different set.
<input type="time" token="maintime" searchWhenChanged="true">
<label>Select Date/Time</label>
<default>
<earliest>@d</earliest>
<latest>now</latest>
</default>
</input>
<p>$maintime.earliest$ to $maintime.latest$ </p>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you're looking for this:
<form>
<fieldset submitButton="false">
<input type="time" token="maintime" searchWhenChanged="true">
<label>Select Date/Time</label>
<default>
<earliest>-15m</earliest>
<latest>now</latest>
</default>
<change>
<condition match="relative_time(now(), latest) - relative_time(now(), earliest) > 86400">
<set token="more_than_day_tok">1</set>
<unset token="less_than_day_tok"></unset>
</condition>
<condition match="relative_time(now(), latest) - relative_time(now(), earliest) <= 86400">
<unset token="more_than_day_tok"></unset>
<set token="less_than_day_tok">1</set>
</condition>
</change>
</input>
</fieldset>
<row depends="$less_than_day_tok$">
<panel>
<table>
<title>This is a panel for less than a day</title>
<search>
...
</table>
</panel>
</row>
<row depends="$more_than_day_tok$">
<panel>
<table>
<title>This is a panel for more than a day</title>
<search>
...
</table>
</panel>
</row>
</form>
This will set a token depending on the duration of the time selected, coping with both relative (-1d@h) and absolute (epoch timestamp) values. The magic is in the <change> and <condition> statements.
By the way, when you want to use this as XML for your dashboard, don't forget to replace
< and >
with
< and >
in the <condition> lines or your UI will complain about invalid XML.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you're looking for this:
<form>
<fieldset submitButton="false">
<input type="time" token="maintime" searchWhenChanged="true">
<label>Select Date/Time</label>
<default>
<earliest>-15m</earliest>
<latest>now</latest>
</default>
<change>
<condition match="relative_time(now(), latest) - relative_time(now(), earliest) > 86400">
<set token="more_than_day_tok">1</set>
<unset token="less_than_day_tok"></unset>
</condition>
<condition match="relative_time(now(), latest) - relative_time(now(), earliest) <= 86400">
<unset token="more_than_day_tok"></unset>
<set token="less_than_day_tok">1</set>
</condition>
</change>
</input>
</fieldset>
<row depends="$less_than_day_tok$">
<panel>
<table>
<title>This is a panel for less than a day</title>
<search>
...
</table>
</panel>
</row>
<row depends="$more_than_day_tok$">
<panel>
<table>
<title>This is a panel for more than a day</title>
<search>
...
</table>
</panel>
</row>
</form>
This will set a token depending on the duration of the time selected, coping with both relative (-1d@h) and absolute (epoch timestamp) values. The magic is in the <change> and <condition> statements.
By the way, when you want to use this as XML for your dashboard, don't forget to replace
< and >
with
< and >
in the <condition> lines or your UI will complain about invalid XML.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you have 2 searches like search_A and search_B then do this:
| noop | stats count AS SingleUselessEventToGenerateSingleMapSearch | addinfo | eval spanSeconds = info_max_time - info_min_time | eval searchString = if((spanSeconds<=(60*60*24)), "search_A", "search_B") | map search="search $searchString$"
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
