Dashboards & Visualizations

How to set my default time to previous business day ?

SapthagiriAavik
Explorer

My current default search time is last 24 hours and we don't have a data on weekend days. On Mondays there is no result and in this case, we want to change the default search time as previous business day.

Tags (3)
0 Karma

niketn
Legend

Try the following run anywhere dashboard.

The <init> section sets the weekDayOverride (based on earliest time selected in the time picker) which is supposed to be Sun in your case. For testing you can set it to previous day on the day you are running the dashboard, i.e. Mon if you are testing the dashboard on Tuesday. Also you need to ensure that Time Picker is set to Last 24 hours (if you have already overridden while testing).

This dashboard runs a dummy search with get the earliest and latest time in epoch for the selected time in the time picker using addinfo command. If the abbreviated Weekday is the same as the Week day to override then the earliest and latest time is pushed back by 2 days i.e. 2*24*60*60

Please test out the following dashboard and confirm.
PS: <set token="weekDayOverride">Sun</set>, is set to Sunday (Sun) as per requirement however, you would need to change it to Mon, if you are testing on Tuesday.

<form>
  <label>Reset to Two days prior based on Week Day to Override</label>
  <init>
    <set token="weekDayOverride">Sun</set>
  </init>
  <!-- Dummy Search to adjust input time based on Earliest Time Selected -->
  <!-- If the earliest time lies on date selected as weekDayOverride day, 
  then it sets earliest and latest to 2*24*60*60 seconds back(i.e. 2 days)-->
  <search>
    <query>
    | makeresults
    | addinfo
    | eval DayOfWeek=strftime(info_min_time,"%a")
    | table DayOfWeek info_min_time info_max_time
    </query>
    <earliest>$tokTime.earliest$</earliest>
    <latest>$tokTime.latest$</latest>
    <done>
      <eval token="earliestDayOfWeek">$result.DayOfWeek$</eval>
      <eval token="form.tokTime.earliest">if($result.DayOfWeek$==$weekDayOverride$,$result.info_min_time$-172800,$form.tokTime.earliest$)</eval>
      <eval token="form.tokTime.latest">if($result.DayOfWeek$==$weekDayOverride$,$result.info_max_time$-172800,$form.tokTime.latest$)</eval>
      <eval token="tokTime.earliest">if($result.DayOfWeek$==$weekDayOverride$,$result.info_min_time$-172800,$tokTime.earliest$)</eval>
      <eval token="tokTime.latest">if($result.DayOfWeek$==$weekDayOverride$,$result.info_max_time$-172800,$tokTime.latest$)</eval>
      <!-- String Time Only for Display/Testing -->
      <eval token="tokEarliestTimeStr">if($result.DayOfWeek$==$weekDayOverride$,strftime($result.info_min_time$-172800,"%Y/%m/%d %H:%M:%S"),strftime($result.info_min_time$,"%Y/%m/%d %H:%M:%S"))</eval>
      <eval token="tokLatestTimeStr">if($result.DayOfWeek$==$weekDayOverride$,strftime($result.info_max_time$-172800,"%Y/%m/%d %H:%M:%S"),strftime($result.info_max_time$,"%Y/%m/%d %H:%M:%S"))</eval>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="tokTime" searchWhenChanged="true">
      <label>Select Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <div>WeekDayToOverride: $weekDayOverride$ - earliestDayOfWeek : $earliestDayOfWeek$</div>
        <div>form.tokTime.earliest: $form.tokTime.earliest$ - form.tokTime.latest: $form.tokTime.latest$</div>
        <div>tokTime.earliest: $tokTime.earliest$ - tokTime.latest: $tokTime.latest$</div>
        <div>tokEarliestTimeStr : $tokEarliestTimeStr$ - tokLatestTimeStr : $tokLatestTimeStr$</div>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <title></title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!=INFO
            | timechart count by component limit=5 useother=f usenull=f</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

mwdbhyat
Builder

Hi,

Check this doc out: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Ui-prefsconf

The example at the bottom of the doc will answer your question.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...