Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is the time Input Token(Range) not working in our dashboard panel query?

sureshkrovi
Explorer
‎11-09-2018 01:11 PM

Hi,

Can you please help me to understand how to use the time input token range for the below scenarios? I'm having issues dealing with the time range filter in dashboard query.

  • Oracle table added to splunk using DBconnect
    ProviderID Booked_Date Time Visit_Type
    1 11/1/2018 10AM Office
    1 11/1/2018 11AM Telephone
    2 11/2/2018 10AM Telephone
    3 11/5/2018 3PM Office

  • Look up crated to get Name for provider ID that is working good with static query.

index="booking_history" | dbxlookup lookup=PROVIDER_LOOKUP | eval myDate=strptime(BOOKED_DATE, "%Y-%m-%d")
| where myDate=strptime("11/1/2018", "%Y-%m-%d") | chart count(VISIT_TYPE_CID) over APPT_DATE by VISIT_TYPE_NAME

  • Time input field(form( created with token "time_input" and below query returns no records though splunk have events.

index="booking_history" | dbxlookup lookup=PROVIDER_LOOKUP | eval myDate=strptime(BOOKED_DATE, "%Y-%m-%d")
| where myDate>=strptime("$time_input.latest$", "%Y-%m-%d") AND myDate<=strptime("$time_input.latest$", "%Y-%m-%d") | chart count(VISIT_TYPE_CID) over APPT_DATE by VISIT_TYPE_NAME

Note: Getting long integers when trying to retrieve "time_input" from UI.

Thanks.

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-09-2018 10:14 PM

If you're seeing long integers then you're seeing epoch timestamps. You don't need to put them through strptime(), they already have the unit/format strptime() would return. You can compare them to myDate directly.

Side note, you're using $time_input.latest$ twice. You probably want $time_input.earliest$ for the first comparison.

0 Karma
Reply

sureshkrovi
Explorer
‎11-14-2018 03:36 PM

Thanks martin for the response,I tweaked the query to use strpttime() and strftime() in right places.It's working good.Here is the final query used.
index="booking_history" | dbxlookup lookup=PROVIDER_LOOKUP |eval earlyDate=strftime("$time_range.earliest$", "%Y-%m-%d")| eval latestDate=strftime("$time_range.latest$", "%Y-%m-%d")| eval apptDate=strptime(APPT_DATE, "%Y-%m-%d %H:%M:%S")|eval apptDate1=strftime(apptDate, "%Y-%m-%d")|where apptDate1>=earlyDate AND apptDate1<=latestDate |table APPT_DATE VISIT_TYPE_CID VISIT_TYPE_NAME earlyDate latestDate apptDate1 | chart count(VISIT_TYPE_CID) over apptDate1 by VISIT_TYPE_NAME

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...