Dashboards & Visualizations

How can we include events accoring to both earliest and latest time

AKG1_old1
Builder

Hi,

Updating the Question!!

I am using Time Line app in my dashboard. If I zoom on particular time duration then it display only those events which start in that time duration.

alt text

If I select earliest Time = 11AM and latest Time = 3 PM , It wont display these events even though these are running in that duration.
(As it only display events which start between 11AM and 3PM)

Expected TimeLine (edited snapshot)
alt text

Dashboard

    <viz type="timeline_app.timeline">
          <query> 
eventtype=mlc_live host=$host_token$ sourcetype=tool_lifecycle | eval FullCommand=ScriptName |  rex field="ScriptName" "^\S+_\K(?&lt;ScriptName&gt;[a-zA-Z]+)" | rex field="ActivityType" "^#(?&lt;ActivityType&gt;[^\.]+);" | eval ActivityType=if(isNOTNULL(ActivityType),ActivityType,"NA") | eval Start = StartDate + " " + StartTime  | eval End = EndDate + " " + EndTime | eval StartEpoc=strptime(Start,"%d/%m/%Y %H:%M:%S") | eval EndEpoc=strptime(End,"%d/%m/%Y %H:%M:%S") | eval Duration = round(EndEpoc - StartEpoc,0) | table _time ScriptName FullCommand Start End Duration UniqueIdentifier Status ActivityType | dedup UniqueIdentifier | search ScriptName IN ($script_name_token$) AND ActivityType IN ($activity_type_token$) AND FullCommand IN ($full_command_token$) AND Status IN ($status_token$) |  convert dur2sec(Duration) AS Duration | eval Duration=Duration*1000 | eval FullCommand2=FullCommand | sort 0 $sort_chart_by_token$ | table _time $Flip_Chart$ Duration UniqueIdentifier
</query>
    <earliest>$chart_selection.earliest$</earliest>
    <latest>$chart_selection.latest$</latest>
        </search>
      </viz>

Is there any chance where we can check both start and end time while fetching the data ?

Or
this is quite complex

a) save earliest time in some temp. token

b) re - evaluate earliest time to older time say (12 hrs) , It will also include the data which started in last 12 hrs
b) if earliest time is less than temp token overright with temp token

Or is there any better option for this problem ?

Thanks

gcusello
SplunkTrust
SplunkTrust

Hi agoyal,
In Splunk there must always be a Time Period that includes events, if you have another custom date_time field you can use it to filter events, but the problem is that Time Period must always be larger that the custom one.

You can solve this problem in two ways:

  • you can set a fixed time period (e.g. one hour before the custom time period to search),
  • you can use two time inputs one for timestamp and one for additional custom date_time field to delimeter your search.

I hope to be clear!

I had this problem for an application and I used the time picker to choose the main Time period, then I configured two dropdowns to choose start and end time.

Bye.
Giuseppe

AKG1_old1
Builder

Thanks for reply. I have updated my question for better understanding. I tried first point even though its include old data but wont work for me.

2nd way wont feasible for me as well 😞

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...