Dashboards & Visualizations

Timeinput and token

kishan2356
Explorer

I have a dashboard where I need to users to be able to select from the time input . When a time is selected from the input I need it to stored into the time_finder token so it can be used to find data for current(the time selected from picker) , time_finder-1week ago, time_finder-2 weeks ago, time_finder-3 weeks ago and time_finder-4 weeks ago.

This is how I have the tokens set now.

    <eval token="earliestTime">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-0d")</eval>    
    <eval token="latestTime">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-0d")</eval>  
    <eval token="earliestTime1">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-7d")</eval>        
    <eval token="latestTime1">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-6d")</eval>  
    <eval token="earliestTime2">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-14d")</eval>  
    <eval token="latestTime2">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-13d")</eval>  
    <eval token="earliestTime3">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-21d")</eval>  
    <eval token="latestTime3">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-20")</eval>  
    <eval token="earliestTime4">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-28")</eval>  
    <eval token="latestTime4">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-27d")</eval>  

What I use in my query to reference the tokens is this : earliest=$time_finder$ latest=$time_finder$

The error I am getting is "Search is waiting for input". How can I fix this? If my question does not make sense please let me know and I will clarify/provide more info. Thanks

0 Karma
1 Solution

arjunpkishore5
Motivator

In response to the sample example you posted, Try this. Please mark as answer if this is what you were looking for

<form>
  <label>test_dash</label>
  <fieldset submitButton="false">
    <input type="time" token="time_finder" searchWhenChanged="true">
      <label>Time Picker</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
      <change>
        <eval token="earliestTime">if(isstr(earliest), relative_time(now(),earliest), earliest)</eval>
        <eval token="latestTime">if(isstr(latest), relative_time(now(),latest), latest)</eval>       
        <eval token="earliestTime1">relative_time(earliestTime,"-7d")</eval>
        <eval token="latestTime1">relative_time(latestTime,"-7d")</eval>
        <eval token="earliestTime2">relative_time(earliestTime,"-14d")</eval>
        <eval token="latestTime2">relative_time(latestTime,"-14d")</eval>
        <eval token="earliestTime3">relative_time(earliestTime,"-21d")</eval>
        <eval token="latestTime3">relative_time(latestTime,"-21d")</eval>
        <eval token="earliestTime4">relative_time(earliestTime,"-28d")</eval>
        <eval token="latestTime4">relative_time(latestTime,"-28d")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>XXXXXXXXX</title>
      <table>
        <search>
          <query>index=XX sourcetype=XX 
| bin _time span=5m 
| stats dc(ecn) as Now by _time 
| appendcols 
    [ search index=XX sourcetype=XX earliest=$earliestTime1$ latest=$latestTime1$ 
    | bin _time span=5m 
    | stats dc(ecn) as Count_SameDay_LastWeek by _time ] 
| appendcols 
    [ search index=XX sourcetype=XX earliest=$earliestTime2$ latest=$latestTime2$ 
    | bin _time span=5m 
    | stats dc(ecn) as TwoWeeksAgo by _time] 
| appendcols 
    [ search index=XX sourcetype=XX  earliest=$earliestTime3$ latest=$latestTime3$
    | bin _time span=5m 
    | stats dc(ecn) as ThreeWeeksAgo by _time] 
| appendcols 
    [ search index=XX sourcetype=XX earliest=$earliestTime4$ latest=$latestTime4$ 
    | bin _time span=5m 
    | stats dc(ecn) as FourWeeksAgo by _time] 
| eval ...... 
| fields .........</query>
          <earliest>$time_finder.earliest$</earliest>
          <latest>$time_finder.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <option name="totalsRow">false</option>
        <format type="number" field="Diff2">
          <option name="precision">0</option>
        </format>
        <format type="number" field="Estimated_Impact">
          <option name="precision">0</option>
        </format>
        <format type="number" field="Avg_of_Diff1&amp;2">
          <option name="precision">0</option>
        </format>
        <format type="number" field="AvgOfFourWeeks_SameDay">
          <option name="precision">0</option>
          <option name="useThousandSeparators">false</option>
        </format>
        <format type="number" field="Avg_of_Diff_of_today_to_lastweek&amp;Diff_of_today_to_avgOfPrior4weeks">
          <option name="precision">0</option>
        </format>
        <format type="number" field="Diff_of_today_to_avgOfPrior4weeks">
          <option name="precision">0</option>
        </format>
      </table>
    </panel>
  </row>
</form>

View solution in original post

arjunpkishore5
Motivator

In response to the sample example you posted, Try this. Please mark as answer if this is what you were looking for

<form>
  <label>test_dash</label>
  <fieldset submitButton="false">
    <input type="time" token="time_finder" searchWhenChanged="true">
      <label>Time Picker</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
      <change>
        <eval token="earliestTime">if(isstr(earliest), relative_time(now(),earliest), earliest)</eval>
        <eval token="latestTime">if(isstr(latest), relative_time(now(),latest), latest)</eval>       
        <eval token="earliestTime1">relative_time(earliestTime,"-7d")</eval>
        <eval token="latestTime1">relative_time(latestTime,"-7d")</eval>
        <eval token="earliestTime2">relative_time(earliestTime,"-14d")</eval>
        <eval token="latestTime2">relative_time(latestTime,"-14d")</eval>
        <eval token="earliestTime3">relative_time(earliestTime,"-21d")</eval>
        <eval token="latestTime3">relative_time(latestTime,"-21d")</eval>
        <eval token="earliestTime4">relative_time(earliestTime,"-28d")</eval>
        <eval token="latestTime4">relative_time(latestTime,"-28d")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>XXXXXXXXX</title>
      <table>
        <search>
          <query>index=XX sourcetype=XX 
| bin _time span=5m 
| stats dc(ecn) as Now by _time 
| appendcols 
    [ search index=XX sourcetype=XX earliest=$earliestTime1$ latest=$latestTime1$ 
    | bin _time span=5m 
    | stats dc(ecn) as Count_SameDay_LastWeek by _time ] 
| appendcols 
    [ search index=XX sourcetype=XX earliest=$earliestTime2$ latest=$latestTime2$ 
    | bin _time span=5m 
    | stats dc(ecn) as TwoWeeksAgo by _time] 
| appendcols 
    [ search index=XX sourcetype=XX  earliest=$earliestTime3$ latest=$latestTime3$
    | bin _time span=5m 
    | stats dc(ecn) as ThreeWeeksAgo by _time] 
| appendcols 
    [ search index=XX sourcetype=XX earliest=$earliestTime4$ latest=$latestTime4$ 
    | bin _time span=5m 
    | stats dc(ecn) as FourWeeksAgo by _time] 
| eval ...... 
| fields .........</query>
          <earliest>$time_finder.earliest$</earliest>
          <latest>$time_finder.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <option name="totalsRow">false</option>
        <format type="number" field="Diff2">
          <option name="precision">0</option>
        </format>
        <format type="number" field="Estimated_Impact">
          <option name="precision">0</option>
        </format>
        <format type="number" field="Avg_of_Diff1&amp;2">
          <option name="precision">0</option>
        </format>
        <format type="number" field="AvgOfFourWeeks_SameDay">
          <option name="precision">0</option>
          <option name="useThousandSeparators">false</option>
        </format>
        <format type="number" field="Avg_of_Diff_of_today_to_lastweek&amp;Diff_of_today_to_avgOfPrior4weeks">
          <option name="precision">0</option>
        </format>
        <format type="number" field="Diff_of_today_to_avgOfPrior4weeks">
          <option name="precision">0</option>
        </format>
      </table>
    </panel>
  </row>
</form>

arjunpkishore5
Motivator

I'm guessing $time_finder$ is the name of the variable storing the time input. If yes, you need to do the following

earliest=$time_finder.earliest$ latest=$time_finder.latest$

0 Karma

kishan2356
Explorer

Hey @arjunpkishore5

The dashboard works but say when I select Date & Range Between 11/13/2019 9:00 and 11/13/2019 10:00 what happens is that the table will display time for 8:00 to 10:00 but it fills in all the data between 8 and 9 with 0s for the first 2 columns, and than it starts to display all the data for 9 to 10. I need it to select the exact time and display it. My guess is that the issue is coming from the way the tokens are set on the dashboard? Any idea on how to fix this issue?

     <eval token="earliestTime">if(isstr(earliest), relative_time(now(),earliest), earliest)</eval>
     <eval token="latestTime">if(isstr(latest), relative_time(now(),latest), latest)</eval>       
     <eval token="earliestTime1">relative_time(earliestTime,"-7d")</eval>
     <eval token="latestTime1">relative_time(latestTime,"-7d")</eval>
     <eval token="earliestTime2">relative_time(earliestTime,"-14d")</eval>
     <eval token="latestTime2">relative_time(latestTime,"-14d")</eval>
     <eval token="earliestTime3">relative_time(earliestTime,"-21d")</eval>
     <eval token="latestTime3">relative_time(latestTime,"-21d")</eval>
     <eval token="earliestTime4">relative_time(earliestTime,"-28d")</eval>
     <eval token="latestTime4">relative_time(latestTime,"-28d")</eval>
   </change>
0 Karma

kishan2356
Explorer

I made the change but it does not work.

0 Karma

kishan2356
Explorer

If I use earliest=$time_finder.earliest$ latest=$time_finder.latest$ , would I need 4 sets or earliest and latest?

0 Karma

kishan2356
Explorer

Hey arjunkishore5. I did not make the properly make the changes you posted to my code, but your solution works just fine! Thank you!

0 Karma

arjunpkishore5
Motivator

Can you post the complete XML for the time input

0 Karma

kishan2356
Explorer

XXXXXX

<input type="time" token="time_finder" searchWhenChanged="true">
  <label>Time Picker</label>
  <default>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </default>
  <change>
    <eval token="earliestTime">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-0d")</eval>    
    <eval token="latestTime">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-0d")</eval>  
    <eval token="earliestTime1">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-7d")</eval>        
    <eval token="latestTime1">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-6d")</eval>  
    <eval token="earliestTime2">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-14d")</eval>  
    <eval token="latestTime2">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-13d")</eval>  
    <eval token="earliestTime3">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-21d")</eval>  
    <eval token="latestTime3">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-20")</eval>  
    <eval token="earliestTime4">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-28")</eval>  
    <eval token="latestTime4">relative_time(strptime($time_finder$,"%Y/%m/%d %H:%M:%S"),"-27d")</eval>  
  </change>
</input>


<panel>
  <title>XXXXXXXX</title>
  <table>

    <search>
      <query>index=XX sourcetype=XX | bin _time span=5m | stats dc(ecn) as Now  by _time | appendcols [ search index=XX sourcetype=XX earliest=$earliestTime1.earliest$ latest=$latestTime1.latest$ | bin _time span=5m  |stats dc(ecn) as Count_SameDay_LastWeek by _time ] | appendcols [search index=XX sourcetype=XX  earliest=$earliestTime2.earliest$ latest=$latestTime2.latest$  | bin _time span=5m  |stats dc(ecn) as TwoWeeksAgo by _time] | appendcols [search index=XX sourcetype=XX  | bin _time span=5m  |stats dc(ecn) as ThreeWeeksAgo by _time] | appendcols [search index=XX sourcetype=XX  earliest=$earliestTime4$ latest=$latestTime4.latest$  | bin _time span=5m  |stats dc(ecn) as FourWeeksAgo by _time] | eval ...... | fields .........</query>
      <earliest>$earliest.earliest$</earliest>
      <latest>$latest.latest$</latest>
    </search>
    <option name="count">10</option>
    <option name="drilldown">cell</option>
    <option name="refresh.display">progressbar</option>
    <option name="totalsRow">false</option>
    <format type="number" field="Diff2">
      <option name="precision">0</option>
    </format>
    <format type="number" field="Estimated_Impact">
      <option name="precision">0</option>
    </format>
    <format type="number" field="Avg_of_Diff1&amp;2">
      <option name="precision">0</option>
    </format>
    <format type="number" field="AvgOfFourWeeks_SameDay">
      <option name="precision">0</option>
      <option name="useThousandSeparators">false</option>
    </format>
    <format type="number" field="Avg_of_Diff_of_today_to_lastweek&amp;Diff_of_today_to_avgOfPrior4weeks">
      <option name="precision">0</option>
    </format>
    <format type="number" field="Diff_of_today_to_avgOfPrior4weeks">
      <option name="precision">0</option>
    </format>
  </table>
</panel>
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...