- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to compare time range picker to change span of...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using a heatmap to represent my timechart and i have a time range picker to determine the time range of the heatmap visualization
... |timechart span=1h count by class_desc
span=1h is deal for me if a preset value of "Last 7 days" or lower is picked.
But data beyond 2 weeks will not be displayed if i were to pick the preset value of "Last 30 days".
For "Last 30 days", span=1d would be ideal
Thus I am looking to compare the time range picker token ($time_token$) of the time range:
if $time_token$ <= "Last 7 Days" then span=1h
else span=1d
p.s. i've tried the bins method and it isn't what i am looking for (https://answers.splunk.com/answers/44213/how-can-i-change-the-span-in-timechart-when-the-timerangepi...)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@esmonder, questions on similar lines have been answered before. Following is one of the ways to do this:
Step 1: Add a dummy search with your earliest and latest time input tokens (where time picker input token name is time_token).
<search>
<query>| makeresults
</query>
<earliest>$time_token.earliest$</earliest>
<latest>$time_token.latest$</latest>
<progress>
<eval token="tokSpan">case(strptime($job.latestTime$,"%Y/%m/%d %H:%M:%S")-strptime($job.earliestTime$,"%Y/%m/%d %H:%M:%S")>604800,"1d",true(),"1h")</eval>
</progress>
</search>
The progress search event handler is used to set the timeSpan token using eval tag. If the difference between earliest and latest time is greater than 604800 i.e. 7*24*60*60 seconds (7 days), then tokSpan is set to 1d, else it is set to 1h.
Step 2: Use tokSpan in the timechart command for Calendar Heatmap custom visualization
... |timechart span=$tokSpan$ count by class_desc
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @esmonder, if @niketnilay solved your problem, please don't forget to accept an answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@esmonder, questions on similar lines have been answered before. Following is one of the ways to do this:
Step 1: Add a dummy search with your earliest and latest time input tokens (where time picker input token name is time_token).
<search>
<query>| makeresults
</query>
<earliest>$time_token.earliest$</earliest>
<latest>$time_token.latest$</latest>
<progress>
<eval token="tokSpan">case(strptime($job.latestTime$,"%Y/%m/%d %H:%M:%S")-strptime($job.earliestTime$,"%Y/%m/%d %H:%M:%S")>604800,"1d",true(),"1h")</eval>
</progress>
</search>
The progress search event handler is used to set the timeSpan token using eval tag. If the difference between earliest and latest time is greater than 604800 i.e. 7*24*60*60 seconds (7 days), then tokSpan is set to 1d, else it is set to 1h.
Step 2: Use tokSpan in the timechart command for Calendar Heatmap custom visualization
... |timechart span=$tokSpan$ count by class_desc
| makeresults | eval message= "Happy Splunking!!!"
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
