Dashboards & Visualizations

How to apply timerange 1 day before and one day after then the selected one?

VatsalJagani
SplunkTrust
SplunkTrust

How to apply timerange on a panel that is one day earlier and 1 day after the selected timeline on timerange?

Here is my approach which is not working, I have no idea why?

<form>
  <label>Test Dashboard</label>
  <fieldset submitButton="false">
    <input type="time" token="timerange_1">
      <label></label>
      <default>
        <earliest>0</earliest>
        <latest></latest>
      </default>
      <change>
        <eval token="timerange_earliest">tonumber(if($timerange_1.earliest|s$=="now", now(), relative_time(now(), $timerange_1.earliest|s$)))-43200*2</eval>
        <eval token="timerange_latest">tonumber(if($timerange_1.latest|s$=="now", now(), relative_time(now(), $timerange_1.latest|s$)))+43200*2</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal | timechart count</query>
          <earliest>$timerange_earliest$</earliest>
          <latest>$timerange_latest$</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">all</option>
      </chart>
    </panel>
  </row>
</form>

One more thing here is this is expected to work only with relative values, like - "-7d@h", but will not work if timerange is selected like in-between or absolute (epoch time), please give solution if possible to handle both the case.

0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@VatsalJagani

Can you please try this?

<form>
   <label>Test Dashboard</label>
   <fieldset submitButton="false">
     <input type="time" token="timerange_1">
       <label></label>
       <default>
         <earliest>0</earliest>
         <latest></latest>
       </default>
     </input>
   </fieldset>
   <row>
     <panel>
       <chart>
         <search>
           <query>index=_internal [| makereults | addinfo | eval earliest=if(info_min_time=0,0,info_min_time-(246060) | eval latest=if(info_max_time="","",info_max_time+(246060) | return earliest, latest] | timechart count</query>
           <earliest>$timerange_1.earliest$</earliest>
           <latest>$timerange_1.latest$</latest>
         </search>
         <option name="charting.chart">line</option>
         <option name="charting.drilldown">all</option>
       </chart>
     </panel>
   </row>
 </form>

Thanks

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@VatsalJagani

Can you please try this?

<form>
   <label>Test Dashboard</label>
   <fieldset submitButton="false">
     <input type="time" token="timerange_1">
       <label></label>
       <default>
         <earliest>0</earliest>
         <latest></latest>
       </default>
     </input>
   </fieldset>
   <row>
     <panel>
       <chart>
         <search>
           <query>index=_internal [| makereults | addinfo | eval earliest=if(info_min_time=0,0,info_min_time-(246060) | eval latest=if(info_max_time="","",info_max_time+(246060) | return earliest, latest] | timechart count</query>
           <earliest>$timerange_1.earliest$</earliest>
           <latest>$timerange_1.latest$</latest>
         </search>
         <option name="charting.chart">line</option>
         <option name="charting.drilldown">all</option>
       </chart>
     </panel>
   </row>
 </form>

Thanks

0 Karma

HiroshiSatoh
Champion

Is this not good?

  <chart>
    <search>
      <query>index=_internal | timechart count</query>
      <earliest>$timerange_1.earliest$-1d</earliest>
      <latest>$timerange_1.latest$+1d</latest>
    </search>
0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Chart is showing error: Invalid latest_time: latest_time must be after earliest_time.
When I try to open in search, attempt failed and JS error is shown in the console - Uncaught TypeError: Cannot read property 'earliestTime' of undefined.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...