Dashboards & Visualizations

Use Timepicker Token With Field

IRHM73
Motivator

Hi,

I wonder whether someone could help me please.

I'm using a query which interrogates a Summary Index containing two fields called Epoch_STime and Epoch_ETime.

I'm then using the query in a dashboard panel which includes a timepicker called "timerange".

What I'm trying to do is set the earliest time from the timepicker to the Epoch_STime and the latest date of the timepicker to Epoch_ETime.

I've tried earliest=$Epoch_Stime$ and the same for the latest time , but I can't get this to work.

Could someone possibly look at this please and let me know where I've gone wrong?

Many thanks and kind regards

Chris

1 Solution

sdchakraborty
Contributor

Hi,

If I understand your question correctly you need to set the time picker earliest and latest value based on field value right? Can you please have a look at the below code snippet and see whether its satisfying your requirement?

<form>
  <label>demo</label>
  <search id="base_search">
    <query>
     | makeresults
| eval Epoch_STime=strptime("02/26/2019","%m/%d/%Y"), Epoch_ETime=strptime("02/28/2019","%m/%d/%Y") 
    </query>
    <done>
      <set token="form.time.earliest">$result.Epoch_STime$</set>
      <set token="form.time.latest">$result.Epoch_ETime$</set>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="time">
      <label>Time</label>
      <default>
        <earliest>0</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
</form>

View solution in original post

sdchakraborty
Contributor

Hi,

If I understand your question correctly you need to set the time picker earliest and latest value based on field value right? Can you please have a look at the below code snippet and see whether its satisfying your requirement?

<form>
  <label>demo</label>
  <search id="base_search">
    <query>
     | makeresults
| eval Epoch_STime=strptime("02/26/2019","%m/%d/%Y"), Epoch_ETime=strptime("02/28/2019","%m/%d/%Y") 
    </query>
    <done>
      <set token="form.time.earliest">$result.Epoch_STime$</set>
      <set token="form.time.latest">$result.Epoch_ETime$</set>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="time">
      <label>Time</label>
      <default>
        <earliest>0</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
</form>

IRHM73
Motivator

Hi @sdchakraborty . Thank you for coming back to me with this.

No it's the other way around, so when the user selects the 'timepicker' time range it extracts the correct data using the Epoch time fields.

Many thanks and kind regards

Chris

0 Karma

sdchakraborty
Contributor

Hi,
You can do something like this. Please have a look at the run anywhere code below,

<form>
  <label>demo</label>
  <search id="base_search">
    <query>|makeresults</query>
    <earliest>$time.earliest$</earliest>
    <latest>$time.latest$</latest>
    <progress>
      <eval token="toEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
      <eval token="toLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
      <set token="jobEarliest">$job.earliestTime$</set>
      <set token="jobLatest">$job.latestTime$</set>
    </progress>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="time">
      <label>Time</label>
      <default>
        <earliest>0</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults count=2
|  streamstats count
 | eval Epoch_Time=case(count=1,strptime("02/26/2019","%m/%d/%Y"), count=2,strptime("02/28/2019","%m/%d/%Y"))
| eval formatted_time = strftime(Epoch_Time,"%m/%d/%Y")
| table Epoch_Time, formatted_time
| eval earliest = $toEarliest$ | eval latest = if($toLatest$ &lt; 0,now(),$toLatest$) |  where Epoch_Time &gt;= earliest AND Epoch_Time &lt;= latest</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>
0 Karma

IRHM73
Motivator

Hi @sdchakraborty . Thank you for coming back to me.

I'm sorry to ask particularly as you've been so helpful but which element do I use in my dashboard. I'm having a little difficulty in following the data/field journey?

Many thanks and kind regards

Chris

0 Karma

sdchakraborty
Contributor

Hi Chris,

Let me explain whats going on there. The main problem statement is you need to select some date range from your dashboard time picker and that should filter out data based on another field (Epoch_STime and Epoch_ETime). Now as we know time picker will always go by _time field. So we need to do some customization. That why the base search I have created.

Its just running a dummy search with our dashboard time picker earliest and latest value and setting up couple of tokens (toEarliest and toLatest) which we are going to use in our panel level search.

  <search id="base_search">
     <query>|makeresults</query>
     <earliest>$time.earliest$</earliest>
     <latest>$time.latest$</latest>
     <progress>
       <eval token="toEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
       <eval token="toLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
       <set token="jobEarliest">$job.earliestTime$</set>
       <set token="jobLatest">$job.latestTime$</set>
     </progress>
   </search>

Now at the panel level we are applying those two tokens we set before and the filteration logic is to get the events where Epoch_STime and Epoch_ETime range is matching with toEarliest and toLatest range. If you understand this I think you should be able to determine what changes you need to do in your dashboard.

Btw I have discussed the same thing below as well. Please have a look.

Part 1 : https://youtu.be/SiXshUxhmcc
Part 2 : https://youtu.be/1fIWEqmxKEg
Part 3 : https://youtu.be/OzEb7Q-fuXs
Part 4 : https://youtu.be/K_PeZvkVFOA

Sid

0 Karma

IRHM73
Motivator

Hi, @sdchakraborty. Thank you for coming back to me and I'm sorry it's taken a while to come back to you. I've been working through this, but I can't get the 'timepicker' to load the data.

Could you possible have a look at my XML below please and let me know where I've gone wrong?

<form>
  <label>CODE</label>
  <fieldset submitButton="false">
    <input type="time" token="time" searchWhenChanged="true">
      <label>Select the Time Range</label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
         <progress>
       <eval token="toEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
       <eval token="toLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
       <set token="jobEarliest">$job.earliestTime$</set>
       <set token="jobLatest">$job.latestTime$</set>
     </progress>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Extract Data</title>
        <search>
          <query><<Main part of query>>
| eval earliest = $toEarliest$ | eval latest = if($toLatest$ &lt; 0,now(),$toLatest$) |  where Epoch_STime &gt;= earliest AND Epoch_ETime &lt;= latest
</query>
        </search>
      </table>
    </panel>
  </row>
</form>

Many thanks and kind regards

Chris

0 Karma

sdchakraborty
Contributor

Hi Chris,

The below code is in wrong place. Progess tag has to be under a search.

 <progress>
        <eval token="toEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
        <eval token="toLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
        <set token="jobEarliest">$job.earliestTime$</set>
        <set token="jobLatest">$job.latestTime$</set>
      </progress>
0 Karma

IRHM73
Motivator

Hi @sdchakraborty.

Thank you for coming back to me with this.

I've amended the code to the following:

      <input type="time" token="time" searchWhenChanged="true">
         <label>Select the Time Range</label>
         <default>
            <earliest>-7d@h</earliest>
            <latest>now</latest>
         </default>
      </input> 
      <panel>
         <table>
            <title>Extract Data</title>
            <search>
               <query><<Main Query>>
| eval earliest = $toEarliest$ | eval latest = if($toLatest$ &lt; 0,now(),$toLatest$) |  where Epoch_STime &gt;=earliest AND Epoch_ETime &lt;=latest
               <earliest>$time.earliest$</earliest>
               <latest>$time.latest$</latest>
               <progress>
                  <eval token="toEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
                  <eval token="toLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
                  <set token="jobEarliest">$job.earliestTime$</set>
                  <set token="jobLatest">$job.latestTime$</set>
               </progress>
            </search>
         </table>
      </panel>

The data is now being returned, so thank you for this, but it is not filtering the data to match the timepicker.

Is there any chance you could look at this please and let me know where I've gone wrong.

Many thanks and kind regards

Chris

0 Karma

sdchakraborty
Contributor

Hi Chris,

That is wrong again,...I have created a simplistic dashboard. Please have a look. You can change the dates at the panel level and test.

<form>
      <search>
        <query>|makeresults</query>
    <earliest>$time.earliest$</earliest>
    <latest>$time.latest$</latest>
    <progress>
      <eval token="toEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S..%3N%z")</eval>
      <eval token="toLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S..%3N%z")</eval>
      <set token="jobEarliest">$job.earliestTime$</set>
      <set token="jobLatest">$job.latestTime$</set>
    </progress>
      </search>
  <label>demo1</label>
  <fieldset submitButton="false">
    <input type="time" token="time">
      <label>Time Picker</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults count=2
| streamstats count
| eval date_time = case(count=1,"2019-02-28T3:26:59.676Z",count=2,"2019-02-28T3:26:53.391Z")
| eval date_time_epoch = strptime(date_time,"%Y-%m-%dT%H:%M:%S..%3N")
| table _time,date_time,date_time_epoch
| eval earliest = $toEarliest$ | eval latest = if($toLatest$ &lt; 0,now(),$toLatest$) |  where date_time_epoch &gt;= earliest AND date_time_epoch &lt;= latest</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>
0 Karma

IRHM73
Motivator

Hi @sdchakraborty .

Thank you for this. I've been through this again and I've finally got this to work. Thank you so much for your help.

But would it possible, because I want to learn from this, that you could explain the rationale behind the need to use the first query?

Many thanks and kind regards

Chris

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...