Calculate earliest, latest with timepicker

igschloessl · ‎08-19-2019

My case is that I have got a dashboard with panels where I have a global time picker $global_pckr$
I need to calculate the latest timespan for a specific panel, when the user picks a too wide timespan.

index=proxy src=$ip$
[|gentimes start=-1 | addinfo | eval earliest=$global_pckr.earliest$, latest=relative_time($global_pckr.earliest$, "+7d"]
| stats count min(_time) as end max(_time as start by action src url

I get the Error: Unable to parse 156616... with format: %m/%d/%>:%H:%M:%S

How can I get this work?

Thank you in advance

woodcock · ‎08-19-2019

You are combining things. If you are using $global_pckr.earliest$ and $global_pcker.latest$ then you do not need | addinfo because it is redundant. As far as, "How can you get this to work", you have not explained what exactly this is so there is no way that we can help you further.

apcsplunk · ‎08-19-2019

Hi,
Few corrections i think:
1. No comma used in eval statements for creating multiple eval fields. Reference->
https://docs.splunk.com/Documentation/SplunkCloud/7.2.6/SearchReference/Eval
2. Stats usage is | stats min(_time) as end max(_time as start by action src url. if you want to add count also,then use | stats count as "new_label" Reference-> https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Stats

richgalloway · ‎08-19-2019

"Correction" 1 is incorrect. The comma is required when performing multiple evals in a single statement.
"Correction" 2 implies the as clause is required. It is not.

---
If this reply helps you, Karma would be appreciated.

Calculate earliest, latest with timepicker

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life