Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to dynamically change the span parameter in bucket without using drop down options.

karthikeyan_k14
New Member
‎08-14-2017 05:53 AM

I have a search like this:

index=* source=*|....| bucket Time span=(1d/1h/5m)...| 
if I select last one month from time picker, span would auto change as 1d ..bucket Time span=1d in query
if I select last one day from time picker, span would auto change as 1h ..bucket Time span=1h in query.
if I select last one hour from time picker, span would auto change as 5m ..bucket Time span=5m in query.

A condition is that I can't use drop down for span....but timepicker for selecting for date and time.

can anyone help me on this query

Tags (3)
0 Karma
Reply

sbbadri
Motivator
‎08-14-2017 07:32 AM

<form>
<label>testspandynamicchange</label>
<fieldset submitButton="true" autoRun="true">
<input type="time" token="time_tok" searchWhenChanged="false">
<label>select a time range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
<change>
<condition match="relative_time(now(), $time_tok.latest$) - relative_time(now(), $time_tok.earliest$) >= 86400">
<set token="stok">1h</set>
</condition>
<condition match="relative_time(now(), $time_tok.latest$) - relative_time(now(), $time_tok.earliest$) >= 3600">
<set token="stok">5m</set>
</condition>
<condition match="relative_time(now(), $time_tok.latest$) - relative_time(now(), $time_tok.earliest$) >= 2629743">
<set token="stok">1d</set>
</condition>
</change>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=_internal sourcetype=splunkd group=pipeline | timechart span=$stok$ count by group</query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>
</table>
</panel>
</row>
</form>

Reply

DalJeanis
SplunkTrust
SplunkTrust
‎08-14-2017 08:44 PM

@sbbadri - Order of the first two is reversed. You need to test 3600 before you test 86400.

Reply

niketn
Legend
‎08-14-2017 08:58 AM

@karthikeyan_k14, just FYI, if you use timechart first two should default span to what your are looking. Only for the third one it will be 1m by default not 5m.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...