Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to generate earliest and latest from a date passed on form

phoenixdigital
Builder
‎04-30-2013 09:32 PM

Hi All,

I am hoping to have a dashboard where the user can select a month and year and then this automatically generate an earliest and latest based on the beginning of that month(+6h) and the end of that month(+6h)

I can manually do the search which sums the data correctly per month

sourcetype=usage-data key="2344" earliest="@year+6h" latest="@mon+6h" | eval _time=_time - 21600 |  timechart span=mon sum(usage) as totalUsage

What I want though is the ability to give the user a simple interface which will return that month's data. There will be about another 20 searches which will use this same date range.

If your wondering why I have to add 6 hours. The days usage count starts from 6am every day.

Any help would be greatly appreciated.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-01-2013 12:34 AM

One way to achieve this would be with an eval-based macro like this one:

relative_time(strptime("$year$-$month$-01", "%Y-%m-%d"), "+$offset$mon+6h")

To test this you can use a query like this:

index=foo earliest=`from_month("2013", "02", "0")` latest=`from_month("2013", "02", "1")` | stats count | addinfo | fieldformat info_min_time = strftime(info_min_time, "%+") | fieldformat info_max_time = strftime(info_max_time, "%+")

Where 2013 and 02 would be values passed in from your form.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-01-2013 12:34 AM

One way to achieve this would be with an eval-based macro like this one:

relative_time(strptime("$year$-$month$-01", "%Y-%m-%d"), "+$offset$mon+6h")

To test this you can use a query like this:

index=foo earliest=`from_month("2013", "02", "0")` latest=`from_month("2013", "02", "1")` | stats count | addinfo | fieldformat info_min_time = strftime(info_min_time, "%+") | fieldformat info_max_time = strftime(info_max_time, "%+")

Where 2013 and 02 would be values passed in from your form.

Reply
Solved! Jump to solution

phoenixdigital
Builder
‎05-01-2013 10:19 PM

That is perfect. Thank you Martin!

I must say this forum is a wealth of information and constantly opens my eyes up to features of Splunk I have barely touched.

Well done to all involved. When my workload lessens I plan to keep an eye on these threads and give back for all the wealth of knowledge that all here provide.

Thanks again

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...