Splunk Search

send the time value for a search range

Carolina
Engager

hi,

I need to take the start and end time of the first dashboard, and send the variables with token from the first dashboaad but I do not know how to filter the time with the variables from the first dashboard to the second

code:

<form>
  <label>MAQUETA1 SISTEMA15</label>
  <fieldset submitButton="true">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>1511989578.011</earliest>
        <latest>1511989578.16</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table id="master">
        <search>
          <query>index="banamex" source="MCB-S015-FILE-MONITOREO2-170919-000-ACYPGAMA.CBL" sourcetype="sist15" field_header=STD2 
| eval num_trans=code_serv_std2.subcodigo_serv_std2
| transaction num_trans startswith=(resp=*I) endswith=(resp=*O)
| eval first_mix=mvindex(mix, 0) 
| eval last_mix=mvindex(mix, -1) 
| eval hour1=mvindex(hora, 0)
| eval hour2=mvindex(hora, -1)
| eval first_duration = tostring(duration, "duration")
| eval mytime=strftime(_time, "%Y-%m-%d") 
| eval fecha=strftime(strptime(mytime,"%Y-%m-%d"),"%d/%m/%Y")
| eval first_hour=strftime(strptime(hour1,"%H%M%S%2N"),"%H:%M:%S:%2N")
| eval last_hour=strftime(strptime(hour2,"%H%M%S%2N"),"%H:%M:%S:%2N")
| eval first_time=fecha." ".first_hour
| eval last_time=fecha." ".last_hour
| table mix resp first_mix last_mix first_time last_time first_duration num_trans  app_dest_std2 app_origen_std2
| rename  mix as "MIX" first_time as "Hora Inicio Respuesta" last_time as "Hora Fin Respuesta" first_duration as "Tiempo Respuesta"
  num_trans as "Número de Transacción" first_mix as "Mix Inicio" last_mix as "Mix Fin" app_dest_std2 as "Aplicación Destino"
  app_origen_std2 as "Aplicacion Origen"</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <set token="showDetails">true</set>
          <set token="first_mix">$row.Mix Inicio$</set>
          <set token="Last_Mix">$row.Mix Fin$</set>
          <set token="FirstTime">$row.Hora Inicio Respuesta$</set>
          <set token="LastTime">$row.Hora Fin Respuesta$</set>
          <set token="Duration">$row.Tiempo Respuesta$</set>
          <set token="num_trans">$row.Número de Transacción$</set>
          <set token="Destino">$row.Aplicación Destino$</set>
          <set token="Origen">$row.Aplicacion Origen$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table id="detail" depends="$showDetails$">
        <search>
          <query>index="banamex" source="MCB-S015-FILE-MONITOREO2-170919-000-ACYPGAMA.CBL" sourcetype="sist15" 
| eval Tiempo1="$FirstTime$" 
| eval Tiempo2="$LastTime$"</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

  could you help me?

0 Karma
1 Solution

woodcock
Esteemed Legend

In the <done> section of the first panel you can set global tokens like this;

 <done>
     <set token="myEarliest">$job.earliestTime$</set>
     <set token="myLatest">$job.latestTime$</set>
</done>

View solution in original post

0 Karma

woodcock
Esteemed Legend

In the <done> section of the first panel you can set global tokens like this;

 <done>
     <set token="myEarliest">$job.earliestTime$</set>
     <set token="myLatest">$job.latestTime$</set>
</done>
0 Karma

niketn
Legend

@Carolina, refer to answer on similar lines. There seems to be issue with default $earliest$ and $latest$ drilldown tokens, which might be fixed in future release. Meanwhile try out the workaround provided by @emeelan [Splunk]

https://answers.splunk.com/answers/587132/drilldown-pass-the-earliest-and-latest-from-a-time.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...