Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

send the time value for a search range

Carolina
Engager
‎12-02-2017 11:15 PM

hi,

I need to take the start and end time of the first dashboard, and send the variables with token from the first dashboaad but I do not know how to filter the time with the variables from the first dashboard to the second

code:

<form>
  <label>MAQUETA1 SISTEMA15</label>
  <fieldset submitButton="true">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>1511989578.011</earliest>
        <latest>1511989578.16</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table id="master">
        <search>
          <query>index="banamex" source="MCB-S015-FILE-MONITOREO2-170919-000-ACYPGAMA.CBL" sourcetype="sist15" field_header=STD2 
| eval num_trans=code_serv_std2.subcodigo_serv_std2
| transaction num_trans startswith=(resp=*I) endswith=(resp=*O)
| eval first_mix=mvindex(mix, 0) 
| eval last_mix=mvindex(mix, -1) 
| eval hour1=mvindex(hora, 0)
| eval hour2=mvindex(hora, -1)
| eval first_duration = tostring(duration, "duration")
| eval mytime=strftime(_time, "%Y-%m-%d") 
| eval fecha=strftime(strptime(mytime,"%Y-%m-%d"),"%d/%m/%Y")
| eval first_hour=strftime(strptime(hour1,"%H%M%S%2N"),"%H:%M:%S:%2N")
| eval last_hour=strftime(strptime(hour2,"%H%M%S%2N"),"%H:%M:%S:%2N")
| eval first_time=fecha." ".first_hour
| eval last_time=fecha." ".last_hour
| table mix resp first_mix last_mix first_time last_time first_duration num_trans  app_dest_std2 app_origen_std2
| rename  mix as "MIX" first_time as "Hora Inicio Respuesta" last_time as "Hora Fin Respuesta" first_duration as "Tiempo Respuesta"
  num_trans as "Número de Transacción" first_mix as "Mix Inicio" last_mix as "Mix Fin" app_dest_std2 as "Aplicación Destino"
  app_origen_std2 as "Aplicacion Origen"</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <set token="showDetails">true</set>
          <set token="first_mix">$row.Mix Inicio$</set>
          <set token="Last_Mix">$row.Mix Fin$</set>
          <set token="FirstTime">$row.Hora Inicio Respuesta$</set>
          <set token="LastTime">$row.Hora Fin Respuesta$</set>
          <set token="Duration">$row.Tiempo Respuesta$</set>
          <set token="num_trans">$row.Número de Transacción$</set>
          <set token="Destino">$row.Aplicación Destino$</set>
          <set token="Origen">$row.Aplicacion Origen$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table id="detail" depends="$showDetails$">
        <search>
          <query>index="banamex" source="MCB-S015-FILE-MONITOREO2-170919-000-ACYPGAMA.CBL" sourcetype="sist15" 
| eval Tiempo1="$FirstTime$" 
| eval Tiempo2="$LastTime$"</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

  could you help me?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-03-2017 10:36 AM

In the <done> section of the first panel you can set global tokens like this;

 <done>
     <set token="myEarliest">$job.earliestTime$</set>
     <set token="myLatest">$job.latestTime$</set>
</done>

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-03-2017 10:36 AM

In the <done> section of the first panel you can set global tokens like this;

 <done>
     <set token="myEarliest">$job.earliestTime$</set>
     <set token="myLatest">$job.latestTime$</set>
</done>
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎12-02-2017 11:24 PM

@Carolina, refer to answer on similar lines. There seems to be issue with default $earliest$ and $latest$ drilldown tokens, which might be fixed in future release. Meanwhile try out the workaround provided by @emeelan [Splunk]

https://answers.splunk.com/answers/587132/drilldown-pass-the-earliest-and-latest-from-a-time.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...