How to change the time range picker before a searc...

ayusuf · ‎12-01-2016

I believe it's possible but I haven't been able to figure it out yet but I would like to change the time range dynamically before the search is executed.

Basically I'm doing a chart for a certain time range but I would like to always +2 days from what the user selects.

Updated dashboard:

<form>
  <label>timechanger</label>
  <fieldset submitButton="false">
    <input type="time" token="time" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-2d@d</earliest>
        <latest>-1d@d</latest>
      </default>
      <change>
        <eval token="e">if(isnum($time.latest$), relative_time($time.latest$, "+3d@d"), relative_time(relative_time(now(), $time.latest$), "+3d@d"))</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=mongod | timechart span=1d count by sourcetype</query>
          <earliest>$time.earliest$</earliest>
          <latest>$e$</latest>
        </search>
      </table>
    </panel>
  </row>
</form>

My simple dashboard:

<form>
  <label>timechanger</label>
  <fieldset submitButton="false">
    <input type="time" token="time" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-2d@d</earliest>
        <latest>-1d@d</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=mongod | timechart span=1d count by sourcetype</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
      </table>
    </panel>
  </row>
</form>

sundareshr · ‎12-01-2016

Not sure I understand what you mean by +2 days from what the user selects - is the earliest or latest or both? Regardless, you can tweak this concept to fit your specific needs. In you search, you will use the new token create dynamically, instead of $time.earliest$

 <input type="time" token="time" searchWhenChanged="true">
   <label></label>
   <default>
     <earliest>-2d@d</earliest>
     <latest>-1d@d</latest>
   </default>
   <change>
   <eval token="e">if(isnum($time.earliest$, relative_time($time.earliest$, "+2d@d"), relative_time(relative_time(now(), $time.earliest$), "+2d@d")</eval>
  <change>
 </input>

VatsalJagani · ‎10-18-2018

In eval here, even brackets are imbalance. @sundareshr - can you please correct?

dineshraj9 · ‎09-08-2017

Nice logic!! Wanted to create a view to analyze time zone issue for logs going into future and this is exactly what I need 🙂

ayusuf · ‎12-01-2016

The latest. Earliest can stay as is. I think I can modify what you gave me to apply on $time.latest$ and pass that as token to my panel, is that correct?

sundareshr · ‎12-01-2016

That's Correct

ayusuf · ‎12-02-2016

Okay so I added that change and it doesn't seem to be working. The updated dashboard is at top. I keep getting, "Invalid latest_time: latest_time must be after earliest_time". At first it didn't work at all because some parens were missing in the eval. It seems like it should work according to the logic in the eval. I also tried using Splunk Debugger but I couldn't figure out why the e token kept consistently being 190800. Any ideas?

How to change the time range picker before a search is executed in a dashboard?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes