Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using a time selector in a .dashboard - how can i make modifications to latest time in a query?

rvoninski_splun
Splunk Employee
Splunk Employee
‎06-02-2017 12:08 PM

I have a dashboard and set of queries where i want to give someone the ability to select the time range. A time range isnt really as important as giving me the selection for latest time. Since I am building queries based on that. Specifically in the example below I want to only show the data for the day previous to the latest time selected in other words I want to make the time selection

earliest=now-48hours(snap to day)

latest=now-24hours(snap to day)

Here is the query I am trying to use but it isnt working as written. The time token name is TimeRange

 <query>host=host123 index=security123 sourcetype="SplunkLog123" earliest=$TimeRange.latest$-2d@d latest=$TimeRange.latest$-1d@d</query>

Thanks for your help in advance.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-03-2017 09:53 AM

Like this:

<query>host=host123 index=security123 sourcetype="SplunkLog123" [|makeresults | earliest=$TimeRange.latest$-172800, latest=$TimeRange.latest$-86400| table earliest latest | format "" "" "" "" "" ""]</query>
0 Karma
Reply

micahkemp
Champion
‎06-02-2017 12:18 PM

You can set earliest/latest using a subsearch if necessary. In this case, you can set earliest using an eval based on info_max_time, created via addinfo.

Try this, which should set earliest to be essentially latest-1d:

host=host123 index=security123 sourcetype="SplunkLog123"  [| makeresults | addinfo | eval earliest=relative_time(info_max_time, "-1d") | table earliest]

Edit:

Try this instead:

[| makeresults | addinfo | eval earliest=relative_time(info_max_time, "-1d") | table earliest]  host=host123 index=security123 sourcetype="SplunkLog123"

I've seen issues before with Splunk interpreting earliest=/latest= as key/values pairs of the data itself (instead of time modifiers) if they aren't at the start of the query.

0 Karma
Reply

rvoninski_splun
Splunk Employee
Splunk Employee
‎06-02-2017 01:44 PM

LOL - I should have just emailed you Micah!!

Im not quite getting this to work yet - the query is returning by itself from within splunk search no results when the subsearch is added. by itself the subsearch is returning 

| makeresults  | addinfo | eval earliest=relative_time(info_max_time, "-1d") | table earliest

Result a one element table with the following value --> 1496349788.000000

Any idea on what to check? Have you been able to get this to run against your own queries with this subsearch?

Thanks.
RV

0 Karma
Reply

rvoninski_splun
Splunk Employee
Splunk Employee
‎06-02-2017 01:53 PM

So close - I think ive got it working we needed to modify the latest time to get the events to show the events i want . Only mod made 

[| makeresults | addinfo | eval latest=relative_time(info_max_time, "-1d") | table latest]

Going to test within dashboards now.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...