Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Issue with passing date value as an argument to the "earliest" field

mahbs
Path Finder
‎10-29-2017 12:14 PM

Hi,

So I've created a drop down for start date and end date which is receiving dates from the "_time" variable from a query I'm running. Now, the _time variable holds date in the following format for instance: 30/10/2017 00:30:00. I want to be able to manipulate my graph so that whatever date is selected, the graph is updated to represent the data from a specified time period.

The issue is, the drop down panel represents the dates as 30/10/2017, the time element is missing. When passing a token containing the date to the earliest field, i get an error message saying the value passed isnt acceptable:

//Code for drop down and populating it with dates.

<input type="dropdown" token="source_tok" searchWhenChanged="true">
      <label>Select Start Date</label>
      <choice value=""></choice>
      <default>Start Date</default>
      <populatingSearch fieldForLabel="Date" fieldForValue="Date">index="test" | stats count by Date</populatingSearch>
    </input>

//This is the search query, wherein the output (date) is being passed into the dropdown panel:

source=xxx host=xxx " index="test" sourcetype="csv" earliest=-1d@d latest=-0d@d | eval ReportKey="Yesterday" |  append [search index="test" sourcetype="csv" earliest=$source_tok$  latest=$End_Date$ | eval ReportKey="Last Week"]|timechart span= avg("CPU") by ReportKey

Im passing my token to the "earliest" field so that data shown in that time period is shown, for

What could be the solution? I tried to create my own timestamp variable which would include the time, but its not showing up on the dropdown section.

Here's what I done:

 eval newTime = strftime(Date, "%m-%d-%Y:%H:%M:%S")

But I'm not sure how to use the newTime variable

0 Karma
Reply

DalJeanis
Legend
‎10-29-2017 06:38 PM

You refer in your question to the _time field, which is internally stored as an epoch date but which is presented by the interface in your local time layout. However, your query that populates the dropdown does not refer to _time.

Probably the easiest thing to do to fix some of your connections would be to put the value for the epoch date in the value field of the dropdown. 

<populatingSearch fieldForLabel="Date" fieldForValue="DateValue">index="test"| stats count by Date| eval DateValue=strptime(Date,"%d/%m/%Y") </populatingSearch>

That way, the resulting token would contain the epoch date of the date that is displayed... assuming it is a date....

However, the rest of what you are doing is confused. You've hard coded the phrase "Last week" into the subsearch... which is almost never going to be last week. That should probably be loaded as a date by using strftime() against the token.

As an aside - you should really get in the habit of using ISO-8601 format for dates... 2017-10-30. It can never be mistaken for any other format, whereas 03/06/2017 could be June 2 or March 6 depending on your location. This also has the great advantage that you can sort and compare the human-readable dates directly, rather than having to convert them to another format first. Your users will get used to it extremely quickly, and it will save you major headaches in the long run.

If you want more complete suggestions about your dashboard, then you might want to give us a better idea of what you are comparing against what, and how many options you are giving your users. If they are merely picking the date to compare against, then you should have a second token calculated based on the first one when the first one changes.

That's going to look something like...

 <input type="dropdown" token="early_tok" searchWhenChanged="true">
   <label>Select Start Date</label>
   <choice value=""></choice>
   <default>Start Date</default>
   <populatingSearch fieldForLabel="Date" fieldForValue="DateValue">
       index="test"
       | stats count by Date
       | eval DateValue=strptime(Date,"%d/%m/%Y") 
   </populatingSearch>
 <change>
     <eval token="late_tok">$early_tok$+86400</eval>
</change>
 </input>

And the search would look something like this...

 source=xxx host=xxx " index="test" sourcetype="csv" earliest=-1d@d latest=-0d@d 
| eval ReportKey="Yesterday" 
|  append [search 
    index="test" sourcetype="csv" earliest=$early_tok$  latest=$late_tok$ 
    | eval ReportKey="Last Week"]
|timechart span= avg("CPU") by ReportKey

We haven't attempted to fix anything else, although I expect that the query can be improved quite a bit if we learn more about what you are attempting to do.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...