Solved: How do I set search start time and end time on das...

Kwip · ‎10-12-2017

I want to monitor my dashboard from today 7 Am to tomorrow 5 AM. I don't want to set the time manually.

FYI, My dashboard contains list of jobs running from 7AM to next day 5AM.

I need to monitor the progress continuously, so set up the auto refresh on every 5 minutes. Now I want to set the time in such a way that it will take the start time as 7AM today and end time is now or next day 5AM during every refresh.

Please take a look and let me know the possibilities. Thanks in advance!!

kamlesh_vaghela · ‎10-15-2017

Hi Kwip,

Can you please do implement below 2 points.

1) Add a search that will calculate earliest and latest. And use It in searches of all panels of your dashboard. You can directly use below code in your dashboard.

  <search>
    <query>| makeresults | eval starttime=strptime(strftime(now(),"%d/%m/%Y 07:00:00 AM"),"%d/%m/%Y %I:%M:%S %p") , endtime=starttime+79200 </query>
    <preview>
      <set token="myEarliest">$result.starttime$</set>
      <set token="myLatest">$result.endtime$</set>
    </preview>
  </search>

2) For auto-refreshing dashboard, I'm suggesting you refresh panels in every 5 minutes. Please add refresh tags into search manager of all panels.

  <refresh>5m</refresh>
  <refreshType>delay</refreshType>

Below is sample dashboard code for reference.

<dashboard>
  <label>Sample Dashboard</label>
  <search>
    <query>| makeresults | eval starttime=strptime(strftime(now(),"%d/%m/%Y 07:00:00 AM"),"%d/%m/%Y %I:%M:%S %p") , endtime=starttime+79200 </query>
    <preview>
      <set token="myEarliest">$result.starttime$</set>
      <set token="myLatest">$result.endtime$</set>
    </preview>
  </search>
  <row>
    <panel>
      <table>
        <title>$myEarliest$-$myLatest$</title>
        <search>
          <query>|stats count | addinfo</query>
          <earliest>$myEarliest$</earliest>
          <latest>$myLatest$</latest>
          <refresh>5m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</dashboard>

I hope this will help you.

Thanks

View solution in original post

nikita_p · ‎12-28-2017

Hi @kwip,
Can you try below eval in your xml for start and end time?
strptime(strftime(relative_time(time(), "-1d@d"),"%d/%m/%Y 07:00:00 AM"),"%d/%m/%Y %I:%M:%S %p")

starttime+79200

kamlesh_vaghela · ‎10-15-2017

Hi Kwip,

Can you please do implement below 2 points.

1) Add a search that will calculate earliest and latest. And use It in searches of all panels of your dashboard. You can directly use below code in your dashboard.

  <search>
    <query>| makeresults | eval starttime=strptime(strftime(now(),"%d/%m/%Y 07:00:00 AM"),"%d/%m/%Y %I:%M:%S %p") , endtime=starttime+79200 </query>
    <preview>
      <set token="myEarliest">$result.starttime$</set>
      <set token="myLatest">$result.endtime$</set>
    </preview>
  </search>

2) For auto-refreshing dashboard, I'm suggesting you refresh panels in every 5 minutes. Please add refresh tags into search manager of all panels.

  <refresh>5m</refresh>
  <refreshType>delay</refreshType>

Below is sample dashboard code for reference.

<dashboard>
  <label>Sample Dashboard</label>
  <search>
    <query>| makeresults | eval starttime=strptime(strftime(now(),"%d/%m/%Y 07:00:00 AM"),"%d/%m/%Y %I:%M:%S %p") , endtime=starttime+79200 </query>
    <preview>
      <set token="myEarliest">$result.starttime$</set>
      <set token="myLatest">$result.endtime$</set>
    </preview>
  </search>
  <row>
    <panel>
      <table>
        <title>$myEarliest$-$myLatest$</title>
        <search>
          <query>|stats count | addinfo</query>
          <earliest>$myEarliest$</earliest>
          <latest>$myLatest$</latest>
          <refresh>5m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</dashboard>

I hope this will help you.

Thanks

Kwip · ‎12-26-2017

@kamlesh_vaghela, Sorry for the delayed response
I tried the above one, But once midnoght crossed it is taking that day 7 AM to next next day 5 AM.

Say Example, I had tried it out at 1 AM 27/12/2017

It is taking start time at 27/12/2017 7AM and end time as 28/12/2017

But the expectation is till 27/12/2017 5 AM, the start and end time should be as below,

26/12/2017 7 AM to 27/12/2017 5AM

kamlesh_vaghela · ‎12-27-2017

HI @,

Can you please try this XML?

<dashboard>
   <label>Sample Dashboard</label>
   <search>
     <query>| makeresults | eval H=tonumber(strftime(now(),"%H")), NOW = if(H&lt;5,now()-20000,now()) | eval starttime=strptime(strftime(NOW,"%d/%m/%Y 07:00:00 AM"),"%d/%m/%Y %I:%M:%S %p") , endtime=starttime+79200 </query>
     <preview>
       <set token="myEarliest">$result.starttime$</set>
       <set token="myLatest">$result.endtime$</set>
     </preview>
   </search>
   <row>
     <panel>
       <table>
         <title>$myEarliest$-$myLatest$</title>
         <search>
           <query>|stats count | addinfo</query>
           <earliest>$myEarliest$</earliest>
           <latest>$myLatest$</latest>
           <refresh>5m</refresh>
           <refreshType>delay</refreshType>
         </search>
         <option name="refresh.display">progressbar</option>
       </table>
     </panel>
   </row>
 </dashboard>

I have made the change in the search query.

Thanks
Kamlesh

Kwip · ‎12-27-2017

It is working fine.. Thank you very Much..

kamlesh_vaghela · ‎12-27-2017

Glad to help you. 🙂

Kwip · ‎12-28-2017

@kamlesh_vaghela,
Could you please tell me how to calculate this value 79200?

kamlesh_vaghela · ‎12-28-2017

Hi @Kwip,

It is total seconds of 22 hrs.
1hr = 3600 sec
22 hrs = 79200 sec

7 AM + 22 hrs = Next Day 5 AM.

Kwip · ‎04-05-2018

Hi @kamlesh_vaghela

Just wondering what this portion is performing

eval H=tonumber(strftime(now(),"%H")), NOW = if(H<5,now()-20000,now())

Could you please explain it.

Kwip · ‎08-01-2018

Hi @kamlesh_vaghela,
I am using this in my dashboard, for earliest and latest time. It is working fine but there is small issue. Whenever I am launching the dashboard, getting invalid earliest time message first and then the data getting loaded. So when I am trying to schedule the dashboard pdf delivery. getting invalid_earliest time message in all the panels.

| makeresults | eval
H=tonumber(strftime(now(),"%H")), NOW
= if(H<5,now()-20000,now()) | eval starttime=strptime(strftime(NOW,"%d/%m/%Y
07:00:00 AM"),"%d/%m/%Y %I:%M:%S %p")
, endtime=starttime+79200

493669 · ‎10-14-2017

<search>
          <query>.....</query>
            <earliest>@d+7h</earliest>
          <latest>now</latest>
 </search>

Kwip · ‎11-01-2017

Hello 493669,
Thank you for your response,
The above is working fine when we are running on the same day. But throwing error if run on next day, I need to set like as below,

11/01/2017 - 07 AM to 11/02/2017 5 PM - whenever I am running my dashboard between the mentioned time frame, I need it should take start time time as 11/01/2017 - 07 AM.

Your query is taking 11/01/2017 - 07 AM, when we run on the day 11/01/2017, Throwing error while running on 11/02/2017.

s2_splunk · ‎10-12-2017

If I understand it right, your dashboard has an inline search and you want to know how to set earliest and latest such that it always searches from 7am of the current day to whenever your dashboard refreshes. If that's not what you are asking, please clarify.

Current day at 7am would be earliest=@d+7h (@d = beginning of current day).
Setting latest to a time in the future doesn't really make sense, unless what you are searching for can come in with timestamps in the future. You are probably okay setting latest=now, but you could also set latest=+d@d+5h, which would be next day at 5am.

Kwip · ‎11-01-2017

Hello ssievert,
Thank you for your response,
The above is working fine when we are running on the same day. But throwing error if run on next day, I need to set like as below,

11/01/2017 - 07 AM to 11/02/2017 5 PM - whenever I am running my dashboard between the mentioned time frame, I need it should take start time time as 11/01/2017 - 07 AM.

Your query is taking 11/01/2017 - 07 AM, when we run on the day 11/01/2017, Throwing error while running on 11/02/2017.

How do I set search start time and end time on dashboard?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM