Hi,
I am using a formula but this isnt working as expected
trying to make a check box , which will give earliest time t the input value field + 5 min
and latest to the input value field + 4 hrs
But the timechart query below doesnt work right
if i am taking the default value 10pm
then the earliest should be : 10.05 pm and latest 2 am
but the timechart shows 6pm-10pm
Please help
i used this link by you :
https://answers.splunk.com/answers/613054/can-i-set-a-latest-relative-to-an-absolute-earlies.html
<title>Response time (avg) and Response time overall average</title>
<input type="text" token="tokSelectEarliestTime" searchWhenChanged="true">
<label>Earliest Time</label>
<default>01/08/2018:10:00:00</default>
<change>
<eval token="tokEarliest">strptime($value$,"%m/%d/%Y:%H:%M:%S")+300</eval>
<eval token="tokLatest">strptime($value$,"%m/%d/%Y:%H:%M:%S")+14400</eval>
</change>
</input>
<single>
<search>
<query>index="idxx" sourcetype IN ("kaf") component=$component$ (logpoint=request-in OR logpoint=response-out) earliest=$tokEarliest$ latest=$tokLatest$
| stats earliest(_time) as earliest_time, latest(_time) as latest_time by component,transaction-id
| eval duration=latest_time-earliest_time
| stats avg(duration) as ResponseTime
$earliest$
</search>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="height">80</option>
<option name="linkView">search</option>
<option name="numberPrecision">0.00</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="useColors">0</option>
<option name="useThousandSeparators">1</option>
</single>
<chart>
<search>
<query>index="idx" sourcetype IN ("ka") component=$component$ (logpoint=request-in OR logpoint=response-out) earliest=$tokEarliest$ latest=$tokLatest$
| stats earliest(_time) as earliest_time, latest(_time) as latest_time by component,transaction-id
| eval duration=latest_time-earliest_time
| eval _time=earliest_time
| timechart span=1h, avg(duration) as avg_resp
$earliest$
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.text">Time</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.text">Resp. Time (sec)</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">line</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">zero</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">bottom</option>
<option name="charting.seriesColors">[0x990099]</option>
<option name="height">350</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
@Mohsin123 , you have defined two tokens tokEarliest
and tokLatest
, but although some of your search query is not visible, but seems like you are using tokens $earliest$
and $latest$
Also on a different note when you use <eval>
to set a token for time it would use current system time zone (expecting that to be issue here as Hours seem to have shifted by 4 hours.)
Try to use an independent search to set the tokens instead as explained in the following answer of mine to set the earliest and latest time tokens: https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html
Also validate with string time to ensure that token is getting set properly first!
@niketnilay can u pls help here
@woodcock could you please help here
@renjith.nair Hi Renjith, could you pls help here , hope u remb me ...i reported u mistakenly while rewarding you 😛