Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is the time Input Token(Range) not working in our dashboard panel query?

sureshkrovi
Explorer
‎11-09-2018 01:11 PM

Hi,

Can you please help me to understand how to use the time input token range for the below scenarios? I'm having issues dealing with the time range filter in dashboard query.

  • Oracle table added to splunk using DBconnect
    ProviderID Booked_Date Time Visit_Type
    1 11/1/2018 10AM Office
    1 11/1/2018 11AM Telephone
    2 11/2/2018 10AM Telephone
    3 11/5/2018 3PM Office

  • Look up crated to get Name for provider ID that is working good with static query.

index="booking_history" | dbxlookup lookup=PROVIDER_LOOKUP | eval myDate=strptime(BOOKED_DATE, "%Y-%m-%d")
| where myDate=strptime("11/1/2018", "%Y-%m-%d") | chart count(VISIT_TYPE_CID) over APPT_DATE by VISIT_TYPE_NAME

  • Time input field(form( created with token "time_input" and below query returns no records though splunk have events.

index="booking_history" | dbxlookup lookup=PROVIDER_LOOKUP | eval myDate=strptime(BOOKED_DATE, "%Y-%m-%d")
| where myDate>=strptime("$time_input.latest$", "%Y-%m-%d") AND myDate<=strptime("$time_input.latest$", "%Y-%m-%d") | chart count(VISIT_TYPE_CID) over APPT_DATE by VISIT_TYPE_NAME

Note: Getting long integers when trying to retrieve "time_input" from UI.

Thanks.

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-09-2018 10:14 PM

If you're seeing long integers then you're seeing epoch timestamps. You don't need to put them through strptime(), they already have the unit/format strptime() would return. You can compare them to myDate directly.

Side note, you're using $time_input.latest$ twice. You probably want $time_input.earliest$ for the first comparison.

0 Karma
Reply

sureshkrovi
Explorer
‎11-14-2018 03:36 PM

Thanks martin for the response,I tweaked the query to use strpttime() and strftime() in right places.It's working good.Here is the final query used.
index="booking_history" | dbxlookup lookup=PROVIDER_LOOKUP |eval earlyDate=strftime("$time_range.earliest$", "%Y-%m-%d")| eval latestDate=strftime("$time_range.latest$", "%Y-%m-%d")| eval apptDate=strptime(APPT_DATE, "%Y-%m-%d %H:%M:%S")|eval apptDate1=strftime(apptDate, "%Y-%m-%d")|where apptDate1>=earlyDate AND apptDate1<=latestDate |table APPT_DATE VISIT_TYPE_CID VISIT_TYPE_NAME earlyDate latestDate apptDate1 | chart count(VISIT_TYPE_CID) over apptDate1 by VISIT_TYPE_NAME

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...