- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to subtract date for a timechart panel from th...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm trying to create a dashboard with 2 panels and a time range picker. I want to be able to:
- Search a specific time period to display on Panel #1
- Compare the above to the same time period the previous week (so 1 week ago) using Panel #2
So panel #2 will display the exact same data and specific time but 1 week ago.
Errors:
1. The code below will work but only during the first time i run the dashboard
2. Everytime i choose a different time/date, it will gives different results (not 1 week ago)
3. Sometimes the panel will not refresh when a new date/time has been selected
Snippet below:
<fieldset submitButton="false" autoRun="true">
<input type="time" token="time" searchWhenChanged="true">
<label>Current Time</label>
<default>
<earliest>1501034400</earliest>
<latest>1501120800</latest>
</default>
<change>
<eval token="earliest_offset">relative_time(now(), $time.earliest$) - 604800</eval>
<eval token="latest_offset">relative_time(now(), $time.latest$) - 604800</eval>
</change>
</input>
<title>Panel#1</title>
<search>
<query>`search string`</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<title>Panel#2</title>
<search>
<query>`search string`</query>
<earliest>$earliest_offset$</earliest>
<latest>$latest_offset$</latest>
</search>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've found the answer to this question form another question i posted regarding the panels not updating. Thank you for your assistance in this.
Here: https://answers.splunk.com/answers/558256/panel-not-updating-when-changing-the-time-range-pi.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've found the answer to this question form another question i posted regarding the panels not updating. Thank you for your assistance in this.
Here: https://answers.splunk.com/answers/558256/panel-not-updating-when-changing-the-time-range-pi.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you have this macro:
[shift_time(2)]
args = time,shift
definition = if("$time$"=="" OR "$time$"=="0", "0", if(match("$time$", "^\d+$$"), relative_time("$time$", "$shift$"), if("$time$"=="now", "\"$shift$\"", "\"$time$$shift$\"")))
iseval = 1
You can build a dashboard like this:
<form>
<label>relativetime macro</label>
<fieldset submitButton="false">
<input type="time" token="time" searchWhenChanged="true">
<label></label>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="offset" searchWhenChanged="true">
<label>Vergleichszeitraum für den Schwellwert</label>
<choice value="-h">Vor 1 Stunde</choice>
<choice value="-d">Vor 1 Tag</choice>
<choice value="-w">Vor 1 Woche</choice>
<choice value="-4w">Vor 4 Wochen</choice>
<choice value="-1mon">Vor 1 Monat</choice>
<choice value="-52w">Vor 52 Wochen</choice>
<choice value="-y">Vor 1 Jahr</choice>
<default>-h</default>
</input>
</fieldset>
<row>
<panel>
<chart>
<search>
<query>index=_internal | timechart count
| appendcols [search earliest=`shift_time($time.earliest$, $offset$)` latest=`shift_time($time.latest$, $offset$)` index=_internal | timechart count as comp]</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="charting.chart.overlayFields">comp</option>
</chart>
</panel>
</row>
</form>
(ignore the German-ness)
Your approach should work too if you use $earliest$ and $latest$ inside the eval elements, the time. prefixed ones are only set after the evals are done. That gives you each time range delayed by one instance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Martin. I'll have a look further into the macro and see how it goes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this!
time range picker:time
Panel#1
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
Panel#2
<earliest>$time.earliest$-1w@w</earliest>
<latest>$time.earliest$</latest>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks HiroshiSatoh. I tried this and the panel just shows Invalid Earliest Time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which A will result in an error? It works properly in my environment.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Panel #2 was displaying the error. I've tried a few times and still the same error
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found I was also getting that error until I removed the white space e.g. $time.earliest$ - 1w@w will give the error while $time.earliest$-1w@w works correctly.
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
