Solved: How to add / subtract time for a chart panel from ...

mraudaschl · ‎05-20-2016

I want to create a dashboard with two panels and a timepicker. One panel needs to show a chart according to the timepicker selection of the user and another panel with exactly the same data, but one week before. I tried substracting -7d from the timepicker tokens, but didn't succeed. After searching Splunk Answers, I came up with below, but now I am getting: Error in 'eval' command: The expression is malformed. Expected ), ut there are not brackets missing, so I tried adding quotes to the timepicker tokens, without success (no results are shown).

index=main source=X_monitor sourcetype=X_monitor 
earliest=[|gentimes start=-1 | eval t=relative_time($field1.earliest$,"-7d") | return $t]
latest=[|gentimes start=-1 | eval t=relative_time($field1.latest$,"-7d") | return $t]
|timechart count

field1 is my shared timepicker

Any suggestions would be appreciated.

somesoni2 · ‎05-20-2016

Try like this for your second search

index=main source=X_monitor sourcetype=X_monitor [|gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-7d") | eval latest=relative_time(info_max_time,"-7d") | table earliest latest | format "" "" "" "" "" ""]
|timechart count

More information on addinfo command here: http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Addinfo

View solution in original post

somesoni2 · ‎05-20-2016

Try like this for your second search

index=main source=X_monitor sourcetype=X_monitor [|gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-7d") | eval latest=relative_time(info_max_time,"-7d") | table earliest latest | format "" "" "" "" "" ""]
|timechart count

More information on addinfo command here: http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Addinfo

mraudaschl · ‎05-30-2016

Thanks Somesoni2, this works like a charm for me. 🙂

splunkannm · ‎09-14-2017

This does not work for me, the gentimes just gives zero results. Anything I am missing ? Please help ! Thank you 🙂

somesoni2 · ‎09-14-2017

What's your full query? The gentimes here is just to generate a sample row without hitting any of the indexes. If you're using 6.3+, you can use | makeresults instead of | gentimes start=-1.

splunkannm · ‎09-14-2017

Note makeresults and gentimes both yielded no results..

splunkannm · ‎09-14-2017

Note I removed the start=-1 in the search..

martin_mueller · ‎05-20-2016

Assuming you're on 6.4, you can use the eval element in Simple XML: http://docs.splunk.com/Documentation/Splunk/6.4.1/Viz/PanelreferenceforSimplifiedXML#eval
Using that you can set a second token to something like relative_time($field1.earliest$, "-7d") and use that second token in your search. Make sure you cover all cases your time range picker can return.

martin_mueller · ‎10-16-2018

Two things. First, apparently you need $earliest$ instead of $field.earliest$ - the former gets you the value that is about to change, the latter will get you the old value.

Second and more importantly, relative_time expects an epoch as its first parameter. It'll work if you define specific points in time, it won't work if you define relative time strings. For those you'd have to do something like relative_time(relative_time(time(), "$earliest$"), "-7d")... handling all the options can be tricky. You can get epoch numbers for points in time, relative time strings, "now", null, 0, "rt-30m", "rt", maybe more.

mraudaschl · ‎05-20-2016

we are on 6.2.4, does anyone have any other suggestion?

martin_mueller · ‎05-20-2016

Upgrade to 6.4, many great things await - bugfixes, security patches, performance improvements, new features... there isn't any real reason not to upgrade.

mraudaschl · ‎10-15-2018

Hi Martin,
coming back to this one after a lot of time.
We are on 6.6. at the moment and I tried your suggestions, here's the first part of the dashboard:

CPS_impact_assessment

<input type="time" token="incTime" searchWhenChanged="false">
  <label>Incident time</label>
  <default>
    <earliest>-60m@m</earliest>
    <latest>now</latest>
  </default>
  <change>
    <eval token="1weekearliest">relative_time($incTime.earliest$, "-7d")</eval>
    <eval token="1weeklatest">relative_time($incTime.latest$, "-7d")</eval>
  </change>
</input>

...

further down I am using $1weekearliest$ and $1weeklatest$ as the time token for a panel but the panel seems to show "all time"
I am also displaying the tokens in the panel title but they both appear as NaN.
What have I done wrong?

How to add / subtract time for a chart panel from the selected time picker value on a dashboard?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life