Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to set my default time to previous business day ?

SapthagiriAavik
Explorer
‎02-20-2018 04:12 AM

My current default search time is last 24 hours and we don't have a data on weekend days. On Mondays there is no result and in this case, we want to change the default search time as previous business day.

Tags (3)
0 Karma
Reply

niketn
Legend
‎02-20-2018 09:39 AM

Try the following run anywhere dashboard.

The <init> section sets the weekDayOverride (based on earliest time selected in the time picker) which is supposed to be Sun in your case. For testing you can set it to previous day on the day you are running the dashboard, i.e. Mon if you are testing the dashboard on Tuesday. Also you need to ensure that Time Picker is set to Last 24 hours (if you have already overridden while testing).

This dashboard runs a dummy search with get the earliest and latest time in epoch for the selected time in the time picker using addinfo command. If the abbreviated Weekday is the same as the Week day to override then the earliest and latest time is pushed back by 2 days i.e. 2*24*60*60

Please test out the following dashboard and confirm.
PS: <set token="weekDayOverride">Sun</set>, is set to Sunday (Sun) as per requirement however, you would need to change it to Mon, if you are testing on Tuesday.

<form>
  <label>Reset to Two days prior based on Week Day to Override</label>
  <init>
    <set token="weekDayOverride">Sun</set>
  </init>
  <!-- Dummy Search to adjust input time based on Earliest Time Selected -->
  <!-- If the earliest time lies on date selected as weekDayOverride day, 
  then it sets earliest and latest to 2*24*60*60 seconds back(i.e. 2 days)-->
  <search>
    <query>
    | makeresults
    | addinfo
    | eval DayOfWeek=strftime(info_min_time,"%a")
    | table DayOfWeek info_min_time info_max_time
    </query>
    <earliest>$tokTime.earliest$</earliest>
    <latest>$tokTime.latest$</latest>
    <done>
      <eval token="earliestDayOfWeek">$result.DayOfWeek$</eval>
      <eval token="form.tokTime.earliest">if($result.DayOfWeek$==$weekDayOverride$,$result.info_min_time$-172800,$form.tokTime.earliest$)</eval>
      <eval token="form.tokTime.latest">if($result.DayOfWeek$==$weekDayOverride$,$result.info_max_time$-172800,$form.tokTime.latest$)</eval>
      <eval token="tokTime.earliest">if($result.DayOfWeek$==$weekDayOverride$,$result.info_min_time$-172800,$tokTime.earliest$)</eval>
      <eval token="tokTime.latest">if($result.DayOfWeek$==$weekDayOverride$,$result.info_max_time$-172800,$tokTime.latest$)</eval>
      <!-- String Time Only for Display/Testing -->
      <eval token="tokEarliestTimeStr">if($result.DayOfWeek$==$weekDayOverride$,strftime($result.info_min_time$-172800,"%Y/%m/%d %H:%M:%S"),strftime($result.info_min_time$,"%Y/%m/%d %H:%M:%S"))</eval>
      <eval token="tokLatestTimeStr">if($result.DayOfWeek$==$weekDayOverride$,strftime($result.info_max_time$-172800,"%Y/%m/%d %H:%M:%S"),strftime($result.info_max_time$,"%Y/%m/%d %H:%M:%S"))</eval>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="tokTime" searchWhenChanged="true">
      <label>Select Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <div>WeekDayToOverride: $weekDayOverride$ - earliestDayOfWeek : $earliestDayOfWeek$</div>
        <div>form.tokTime.earliest: $form.tokTime.earliest$ - form.tokTime.latest: $form.tokTime.latest$</div>
        <div>tokTime.earliest: $tokTime.earliest$ - tokTime.latest: $tokTime.latest$</div>
        <div>tokEarliestTimeStr : $tokEarliestTimeStr$ - tokLatestTimeStr : $tokLatestTimeStr$</div>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <title></title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!=INFO
            | timechart count by component limit=5 useother=f usenull=f</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

mwdbhyat
Builder
‎02-20-2018 07:08 AM

Hi,

Check this doc out: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Ui-prefsconf

The example at the bottom of the doc will answer your question.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...