- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Invalid value "$week$" for time term 'earliest' ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am getting below error when the page first loads, after that when I manually select "Last 1 week" in the dropdown, the timechart displays. Below is the error , please help resolve the issue ?
Invalid value "$week$" for time term 'earliest'
I think, somehow, when the page loads, the token $week$ having a value of "-7d" is not working.
Also, when I select the choice, the query is passed into the token and then the query is running using that token. Below is my code :
<panel>
<title>Bandwidth Utilization - Trend</title>
<input type="dropdown" token="week" searchWhenChanged="true">
<label>Select Week</label>
<choice value="-7d">Last 1 Week</choice>
<choice value="-14d">Last 2 Weeks</choice>
<choice value="-21d">Last 3 Weeks</choice>
<choice value="-1mon">Last 1 Month</choice>
<selectFirstChoice>true</selectFirstChoice>
<default>-7d</default>
<initialValue>-7d</initialValue>
<change>
<condition value="-7d">
<set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$week$ latest=now | my search .....
</condition>
<condition value="-14d">
<set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$week$ latest=now | my search .....
<condition value="-21d">
<set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$week$ latest=now | my search .....
<condition value="-1mon">
<set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$week$@mon latest=now | my search .....
</condition>
</change>
<search>
<query>index=snmp | dedup host | stats count</query>
<earliest>-5m@m</earliest>
<latest>now</latest>
</search>
<fieldForLabel>count1</fieldForLabel>
<fieldForValue>count1</fieldForValue>
</input>
<chart>
<search>
<query>$comparestring$</query>
<earliest>0</earliest>
<latest></latest>
<sampleRatio>1</sampleRatio>
<refresh>2m</refresh>
<refreshType>delay</refreshType>
</search>
<!--option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">large</option-->
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.text">Time</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">area</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">connect</option>
<option name="charting.chart.showDataLabels">minmax</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">1</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="height">396</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@pgadhari while using the <change> event handler use the predefined token $value$ to access the changed value instead of the token name i.e. $week$. Since the token would need to be submitted you will notice a delay on one submission otherwise.
Also if your my search ..... remains the same for all time selections, you can just pass the $value$ as $comparedstring$ to the actual SPL as remaining SPL remains constant. In either case try the following:
<condition value="-7d">
<set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
</condition>
<condition value="-14d">
<set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
<condition value="-21d">
<set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
<condition value="-1mon">
<set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$@mon latest=now | my search ..... </set>
</condition>
</change>
Refer to Splunk Documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Predefined_tokens_for_accessing_label...
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@pgadhari while using the <change> event handler use the predefined token $value$ to access the changed value instead of the token name i.e. $week$. Since the token would need to be submitted you will notice a delay on one submission otherwise.
Also if your my search ..... remains the same for all time selections, you can just pass the $value$ as $comparedstring$ to the actual SPL as remaining SPL remains constant. In either case try the following:
<condition value="-7d">
<set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
</condition>
<condition value="-14d">
<set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
<condition value="-21d">
<set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$ latest=now | my search .....</set>
<condition value="-1mon">
<set token="comparestring">index=snmp sourcetype=snmp_ta_vpn earliest=$value$@mon latest=now | my search ..... </set>
</condition>
</change>
Refer to Splunk Documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Predefined_tokens_for_accessing_label...
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Initialize token when dashboard loads:
<form>
<init>
<set token="week">-7d</set>
</init>
.....
But I would suggest you to write search query directly in the <chart> element instead of writing it to a token ($comparestring$) in <input> element.
<chart>
<search>
<query>index=snmp sourcetype=snmp_ta_vpn earliest=$week$ | my search .....</query>
<sampleRatio>1</sampleRatio>
<refresh>2m</refresh>
<refreshType>delay</refreshType>
</search>
.....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Saw that docs, and I tried doing earliest_time=-7d@d, instead of earliest=-7d, but still getting the same error ? Not sure whats the issue ? still trying to figure it out ?
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
