Splunk Search

Dashboard: How can I convert a token from a "Time Picker" into a unit of time like minutes?

danielbarr
Explorer

Hi everyone,

Here's the process I'm trying to do.

Initial Conversion
1. Use a "Time Picker" input -->
2. Take the time selected -->
3. Convert that into a token that stores the value in minutes

Example & Usage of the Token
1. User selects desired selection from the time picker input -->
ex: Selected time is "last 4 hours"
2. a token is then given the value in minutes
ex: $sel_time$ = 240 -->
3. use the token inside a custom time frame
ex: 7d-$sel_time$


I'm not sure how the time picker is formatted or stored, so I'm having trouble. Thanks!

sgadde
Explorer

  

<input type="time" searchWhenChanged="true">
  <label></label>
  <default>
    <earliest>-7d@w0</earliest>
    <latest>@w0</latest>
  </default>
  <change>
    <condition match="isnum($earliest$) OR isnum($latest$)">
      <eval token="sel_time">tostring(($latest$-$earliest$)/60)+"m"</eval>
    </condition>
    <condition>
      <eval token="sel_time">tostring((relative_time(now(), $latest$)-relative_time(now(), $earliest$))/60)+"m"</eval>
    </condition>
  </change>
</input>


<panel>
  <table>
    <title>$sel_time$</title>
    <search>
      <query>index=_internal | head 1 |eval minutes=$sel_time|s$ , earliest=$earliest|s$, latest=$latest|s$ | table earliest, latest, minutes</query>
      <earliest>$earliest$</earliest>
      <latest>$earliest$</latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="drilldown">row</option>
    <option name="dataOverlayMode">none</option>
    <option name="count">10</option>
  </table>
</panel>

This will create a new token,sel_time, which calculates the minutes contained in the time range.
Time picker gives you earliest and latest tokens in epoch/Unix timestamp ( if you select date range or specify date/time explicilty) or in string format like "-7d@w0" (if you select relative time range presets).

Logic: sel_time token is set based on the type of earliest and latest.

  • If both are numeric, sel_time token is the difference between the epoch provided by the latest and earliest tokens of your time picker input divided by 60.
  • For all other cases, latest and earliest tokens are converted to epoch and the difference in seconds is divided by 60 and stored in sel_time token.

In your question: 3. use the token inside a custom time frame ex: 7d-$sel_time$, your $sel_time$ should have m at the end to specify that the value given by $sel_time$ is in minutes.

Here the string conversion and the concatenation of "m" at the end is done so sel_time token can be used along with relative time presets without modification.

tmcmaster
Explorer

Thanks for this. From my testing I didn't even need the conditional on the isnum.

   <change>
       <eval token="sel_time">tostring((relative_time(now(), $latest$)-relative_time(now(), $earliest$))/60)+"m"</eval>
   </change>

My only issue now is initializing the string. It works great on changes, but init doesn't seem to have the values in the time picker yet.

0 Karma

koenphilipsen
Engager

Thanks! This helped me a lot.
But I think you have to change the references to the variables like this:

    <input type="time" searchWhenChanged="true">
      <label>Time Picker</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
      <change>
        <condition match="isnum(earliest)">
          <eval token="sel_time">tostring((latest-earliest)/60)+"m"</eval>
        </condition>
        <condition>
          <eval token="sel_time">tostring((relative_time(now(), latest)-relative_time(now(), earliest))/60)+"m"</eval>
        </condition>
      </change>
    </input>
0 Karma

sgadde
Explorer

I think earliest and latest should be enclosed in $ since they are tokens. I've used a similar piece of code and that worked for me.

0 Karma

sundareshr
Legend

Try this

  <fieldset submitButton="false">
    <input type="time" token="t" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>0</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal | head 1 | eval x=strftime(relative_time(now(), "$t.earliest$"), "%c") | table _time x</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
0 Karma

danielbarr
Explorer

I'm not sure how to use this for my case. All I want is the timespan selected in minutes, not the formatted date. So if they select 60 minutes the token would just be $sel_timespan$ = 60. Maybe I'm misunderstanding what you did here.

I think I'd have to take the two time periods your code gives and then subtract them to get the time in minutes.

Thanks.

0 Karma

neluvasilica
Explorer

@danielbarr, did you manage to get this working? I am trying to achieve the same think but without great success...

0 Karma

sundareshr
Legend

You could do eval e=relative_time(now(), "$t.earliest$" | eval l=relative_time(now(), "$t.latest$" | eval dur=l-e to get the duration

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...