Dashboards & Visualizations

How can we include events accoring to both earliest and latest time

AKG1_old1
Builder

Hi,

Updating the Question!!

I am using Time Line app in my dashboard. If I zoom on particular time duration then it display only those events which start in that time duration.

alt text

If I select earliest Time = 11AM and latest Time = 3 PM , It wont display these events even though these are running in that duration.
(As it only display events which start between 11AM and 3PM)

Expected TimeLine (edited snapshot)
alt text

Dashboard

    <viz type="timeline_app.timeline">
          <query> 
eventtype=mlc_live host=$host_token$ sourcetype=tool_lifecycle | eval FullCommand=ScriptName |  rex field="ScriptName" "^\S+_\K(?&lt;ScriptName&gt;[a-zA-Z]+)" | rex field="ActivityType" "^#(?&lt;ActivityType&gt;[^\.]+);" | eval ActivityType=if(isNOTNULL(ActivityType),ActivityType,"NA") | eval Start = StartDate + " " + StartTime  | eval End = EndDate + " " + EndTime | eval StartEpoc=strptime(Start,"%d/%m/%Y %H:%M:%S") | eval EndEpoc=strptime(End,"%d/%m/%Y %H:%M:%S") | eval Duration = round(EndEpoc - StartEpoc,0) | table _time ScriptName FullCommand Start End Duration UniqueIdentifier Status ActivityType | dedup UniqueIdentifier | search ScriptName IN ($script_name_token$) AND ActivityType IN ($activity_type_token$) AND FullCommand IN ($full_command_token$) AND Status IN ($status_token$) |  convert dur2sec(Duration) AS Duration | eval Duration=Duration*1000 | eval FullCommand2=FullCommand | sort 0 $sort_chart_by_token$ | table _time $Flip_Chart$ Duration UniqueIdentifier
</query>
    <earliest>$chart_selection.earliest$</earliest>
    <latest>$chart_selection.latest$</latest>
        </search>
      </viz>

Is there any chance where we can check both start and end time while fetching the data ?

Or
this is quite complex

a) save earliest time in some temp. token

b) re - evaluate earliest time to older time say (12 hrs) , It will also include the data which started in last 12 hrs
b) if earliest time is less than temp token overright with temp token

Or is there any better option for this problem ?

Thanks

gcusello
SplunkTrust
SplunkTrust

Hi agoyal,
In Splunk there must always be a Time Period that includes events, if you have another custom date_time field you can use it to filter events, but the problem is that Time Period must always be larger that the custom one.

You can solve this problem in two ways:

  • you can set a fixed time period (e.g. one hour before the custom time period to search),
  • you can use two time inputs one for timestamp and one for additional custom date_time field to delimeter your search.

I hope to be clear!

I had this problem for an application and I used the time picker to choose the main Time period, then I configured two dropdowns to choose start and end time.

Bye.
Giuseppe

AKG1_old1
Builder

Thanks for reply. I have updated my question for better understanding. I tried first point even though its include old data but wont work for me.

2nd way wont feasible for me as well 😞

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...