Splunk Search

time picker

seanmylne
New Member

Hi guys,

I am trying to show 2 tables - one for the time frame using a time-picker and one search for the same time frame but for 7 days ago.

Below is my query using field1 as my time picker.

Below is my "query" in my dashboard.

host="xxx-xxx-xxx" sourcetype="alarm_metric" ealiest=$field1.earliest$-86400m latest=$field1.ealiest$-86385m
| spath "Message.SourceApp" | search "Message.SourceApp"=xxxx | eval spath='Message.EventMessage' | rex field=spath "took (?P<elapsed>\S+)"
| eval elapsed = elapsed/1000 | table _time spath, host elapsed | eval ReportKey="This Time 7 Days Ago" | append [search host="xxx-xxx-xxx" sourcetype="alarm_metric" earliest=$field1.earliest$ latest=$field1.latest$
| spath "Message.SourceApp" | search "Message.SourceApp"=xxxx | eval spath='Message.EventMessage' | rex field=spath "took (?P<elapsed>\S+)" | eval elapsed = elapsed/1000 | table _time spath, host elapsed
| eval ReportKey="Today"] | chart count by elapsed span=1 ReportKey

I am using count and not timechart so cannot use timewrap as i want to show a count of response times 0-1, 2-3 and so on.

Thanks
Sean

0 Karma

micahkemp
Champion

The previous answer wanted you to have two searches, one for your panel, one that is separate from any panel and really just sets the tokens. For your panel search, something like this:

       <query>host="xxx-xxx-xxx" sourcetype="alarm_metric" | spath "Message.SourceApp" | search "Message.SourceApp"=xxxx 
       | eval spath='Message.EventMessage' | rex field=spath "took (?P<elapsed>\S+)" | eval elapsed = elapsed/1000 
       | table _time spath, host elapsed | eval ReportKey="This Time 7 Days Ago"  | append [search host="xxx-xxx-xxx" sourcetype="alarm_metric"
       | spath "Message.SourceApp" | search "Message.SourceApp"=xxxx | eval spath='Message.EventMessage' | rex field=spath "took (?P<elapsed>\S+)" | eval elapsed = elapsed/1000 
       | table _time spath, host elapsed | eval ReportKey="Today"] | chart count by elapsed span=1 ReportKey</query>
       <earliest>$earliest7$</earliest>
       <latest>$latest7$</latest>

Note I moved $earliest7$ and $latest7$ out of the search string and into the earliest/latest fields below. But if you do need to use a token in a search string, you need to make sure it's surrounded by $ (on both sides). Your pasted XML had some instances of $ on only one side of the token name.

And then another search higher up in the dashboard to set the tokens:

   <search id="set_time">
     <query><![CDATA[| makeresults | addinfo | eval earliest7=info_min_time-7*24*3600, latest7=if(info_max_time="+Infinity", now()-7*24*3600, info_max_time-7*24*3600)]]></query>
     <done>
       <condition match="'job.resultCount' == 1">
          <set token="earliest7">$result.earliest7$</set>
          <set token="latest7">$result.latest7$</set>
       </condition>
     </done>
   </search>

Consider referencing this recent answer I posted regarding how this may look as a complete XML example.

0 Karma

seanmylne
New Member

Hi micahkemp,

Thanks for the advice. However i can not actually get it work. Not sure what i am missing but i either get invalid start time or waiting for input when i am trying to get it to work.

Thanks
Sean

0 Karma

micahkemp
Champion

Can you paste the XML of your dashboard that is not working?

0 Karma

seanmylne
New Member

Hi micahkemp

This is what i have - which errors with invalid earliest time.

SM_Test

<query>
  <![CDATA[| makeresults | addinfo | eval earliest7=info_min_time-7*24*3600, latest7=if(info_max_time="+Infinity", now()-7*24*3600, info_max_time-7*24*3600)]]>
</query>
<done>
  <condition match="'job.resultCount' == 1">
    <set token="earliest7">$result.earliest7$</set>
    <set token="latest7">$result.latest7$</set>
  </condition>
</done>


<input type="time" token="field1" searchWhenChanged="true">
  <label></label>
  <default>
    <earliest>-15m</earliest>
    <latest>now</latest>
  </default>
</input>


<panel>
  <table>
    <title>xyz</title>
    <search>
      <query>host="xxx-xxx-xxx" sourcetype="alarm_metric"  |spath "Message.SourceApp" | search "Message.SourceApp"=xyz | eval spath='Message.EventMessage' | rex field=spath "took (?P&lt;elapsed&gt;\S+)" | eval elapsed = elapsed/1000 | table _time spath, host elapsed | eval ReportKey="This Time 7 Days Ago"  | append [search host="xxx-xxx-xxx" sourcetype="alarm_metric" $earliest$ $latest$ | spath "Message.SourceApp" | search "Message.SourceApp"=xyz | eval spath='Message.EventMessage' | rex field=spath "took (?P&lt;elapsed&gt;\S+)" | eval elapsed = elapsed/1000 | table _time spath, host elapsed | eval ReportKey="Today"] | chart count by elapsed span=1 ReportKey</query>
      <earliest>$earliest7$</earliest>
      <latest>$latest7$</latest>
    </search>
    <option name="drilldown">none</option>
  </table>
</panel>

Thanks
Sean

0 Karma

nryabykh
Path Finder

It seems to be a number of problems with earliest=$field1.earliest$-86400m latest=$field1.ealiest$-86385m. First of all, you cannot subtract "86400m", because Splunk holds "86400m" as a string. It's better to use earliest=$field1.earliest$-86400, without "m". Second, if you want to get "This Time 7 Days Ago", you should subtract 7*24*3600 = 604800, rather than 86400. At last, this notation fails if you select relative time in your initial time picker. In this case $field1.earliest$ equals to "-15m" or smth like that and it will be difficult to count "-15m-604800".

You can try the following workaround. Add a search on your dashboard with this query:

| makeresults | addinfo | eval earliest7=info_min_time-7*24*3600, latest7=if(info_max_time="+Infinity", now()-7*24*3600, info_max_time-7*24*3600)

$field1.earliest$
$field1.latest$

<set token="earliest7">$result.earliest7$</set>
<set token="latest7">$result.latest7$</set>

Then use tokens $field1.earliest$ and field1.latest as earliest and latest bounds in "today" subsearch and use tokens $earliest7$ and $latest7$ as earliest and latest bounds in "7 days ago" subsearch.

0 Karma

seanmylne
New Member

Hi Nryabykh,

Thanks for the reply. tbh i tried it with and without the m and could not get it to play 😞

I have also tried to add your suggestions but without success. I have added my panel and start of the form:-

SM_Test

<input type="time" token="field1" searchWhenChanged="true">
  <label></label>
  <default>
    <earliest>-15m</earliest>
    <latest>now</latest>
  </default>
</input>

<init>
  <set token="earliest7">$result.$earliest7$</set>
  <set token="latest7">$result.$latest7$</set>
</init>

<panel>
  <table>
    <title>Test App</title>
    <search>
      <query>makeresults | addinfo | eval earliest7=info_min_time-7*24*3600, latest7=if(info_max_time="+Infinity", now()-7*24*3600, info_max_time-7*24*3600) 
      host="xxx-xxx-xxx" sourcetype="alarm_metric" earliest=earliest7$ latest=latest7$ | spath "Message.SourceApp" | search "Message.SourceApp"=xxxx 
      | eval spath='Message.EventMessage' | rex field=spath "took (?P&lt;elapsed&gt;\S+)" | eval elapsed = elapsed/1000 
      | table _time spath, host elapsed | eval ReportKey="This Time 7 Days Ago"  | append [search host="xxx-xxx-xxx" sourcetype="alarm_metric" earliest=$field1.earliest$ latest=$field1.latest$ 
      | spath "Message.SourceApp" | search "Message.SourceApp"=xxxx | eval spath='Message.EventMessage' | rex field=spath "took (?P&lt;elapsed&gt;\S+)" | eval elapsed = elapsed/1000 
      | table _time spath, host elapsed | eval ReportKey="Today"] | chart count by elapsed span=1 ReportKey</query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
    </search>
    <option name="drilldown">none</option>
  </table>
</panel>

Using the above i get an error stating "Search is waiting for input...."

Not sure where i am going wrong.

Thanks
Sean

0 Karma

mstark31
Path Finder

Could there be a syntax error with the fact that there are 3 $ in the token setting expression?

$result.$earliest7$
0 Karma

nryabykh
Path Finder

Hi, Sean.
Sorry for bad formatting in my answer, I was confused a bit about text input controls here. Micahkemp represented it clearly in the answer below.

0 Karma

micahkemp
Champion

If your question was answered, please accept the answer you consider most valid/helpful, so this answer no longer appears open.

0 Karma

seanmylne
New Member

Hi nyabykh,

Even with it explained a little bit more i can not get either to work. I have tried various permutations of following both advice but either getting waiting for input or invalid start time.

Thanks
Sean

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...