Dashboards & Visualizations

Why is the dashboard time range picker not populating the last 10 days to now() ?

vemurisurya
Path Finder

In my dashboard, I am getting the Submit_Date max and min values which are taken from the timepicker. It select the date or time range. However, when it selects last 10 days to now, it's not working. Instead of latest now(), it's populating only now

| where Submit_Date >=$timer1.earliest$ AND Submit_Date <=$timer1.latest$
0 Karma
1 Solution

vemurisurya
Path Finder

| eval now=now() | where Submit_Date >= "$timer1.earliest$" AND Submit_Date <= "$timer1.latest$"

this hack is working for me |eval now=now()

View solution in original post

0 Karma

niketn
Legend

@vemurisurya, Submit_Date seems to be a date field from event. Does it contain epoch time or string time?

You would need to make sure Submit_Date to epoch time, if not use strptime() to convert to epoch time. Also, if you are using Time Picker input for earliest and latest tokens you have to make sure it returns epoch time as well?

Refer to the following answer using earliest and latest tokens from Time Picker input as epoch time: https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Assuming you want to use same time range picket that you've in your dashboard, to filter events by different date fields, try like this (assuming your date fields have human-readable timestamp with format %Y-%m-%d %H:%M:%S. If it's different, update line 2 with that)

your current search
| eval filterDateEpoch=strptime('Submit_Date',"%Y-%m-%d %H:%M:%S")
| addinfo 
| where filterDateEpoch>=info_min_time AND Submit_Date <=info_max_time | fields - info_min_time info_max_time info_search_time info_sid filterDateEpoch

The addinfo command add current search's time range (earliest and latest) as field info_min_time (i.e. earliest) and info_max_time (i.e. latest) with value in epoch format to all events. Line two will convert your date field to epoch value so that it can be compared.

vemurisurya
Path Finder

| eval now=now() | where Submit_Date >= "$timer1.earliest$" AND Submit_Date <= "$timer1.latest$"

this hack is working for me |eval now=now()

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Is the timer1 also used as time range in your dashboard search OR you use some different timerange picker for it?

0 Karma

vemurisurya
Path Finder

All the panels are using same time picker

0 Karma

somesoni2
SplunkTrust
SplunkTrust

So do you have two time range picker in your dashboard or just one?

0 Karma

vemurisurya
Path Finder

just one

0 Karma

493669
Super Champion

try to add these tokens in header of tabel/panel to know what values are being set..

<title>earliest=$timer1.earliest$ and latest=$timer1.latest$</title>

0 Karma

vemurisurya
Path Finder

Hi,
Here in the problem, in my panels time fields are different i panel has Submit_Date other one Create_date other has closed_date
_time and the filed dates are different

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...