Re: Earliest latest

Mohsin123 · ‎08-10-2018

Hi,

I am using a formula but this isnt working as expected
trying to make a check box , which will give earliest time t the input value field + 5 min
and latest to the input value field + 4 hrs
But the timechart query below doesnt work right
if i am taking the default value 10pm
then the earliest should be : 10.05 pm and latest 2 am
but the timechart shows 6pm-10pm

Please help

@niketn

i used this link by you :

https://answers.splunk.com/answers/613054/can-i-set-a-latest-relative-to-an-absolute-earlies.html

  <title>Response time (avg) and Response time overall average</title>
  <input type="text" token="tokSelectEarliestTime" searchWhenChanged="true">
    <label>Earliest Time</label>
    <default>01/08/2018:10:00:00</default>
    <change>
      <eval token="tokEarliest">strptime($value$,"%m/%d/%Y:%H:%M:%S")+300</eval>
      <eval token="tokLatest">strptime($value$,"%m/%d/%Y:%H:%M:%S")+14400</eval>
    </change>
  </input>
  <single>
    <search>
      <query>index="idxx" sourcetype IN ("kaf") component=$component$ (logpoint=request-in OR logpoint=response-out) earliest=$tokEarliest$ latest=$tokLatest$

| stats earliest(_time) as earliest_time, latest(_time) as latest_time by component,transaction-id
| eval duration=latest_time-earliest_time
| stats avg(duration) as ResponseTime
$earliest$
$latest$

    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">none</option>
    <option name="drilldown">none</option>
    <option name="height">80</option>
    <option name="linkView">search</option>
    <option name="numberPrecision">0.00</option>
    <option name="refresh.display">progressbar</option>
    <option name="showSparkline">1</option>
    <option name="showTrendIndicator">1</option>
    <option name="trendColorInterpretation">standard</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="useColors">0</option>
    <option name="useThousandSeparators">1</option>
  </single>
  <chart>
    <search>
      <query>index="idx" sourcetype IN ("ka") component=$component$ (logpoint=request-in OR logpoint=response-out) earliest=$tokEarliest$ latest=$tokLatest$

| stats earliest(_time) as earliest_time, latest(_time) as latest_time by component,transaction-id
| eval duration=latest_time-earliest_time
| eval _time=earliest_time
| timechart span=1h, avg(duration) as avg_resp
$earliest$
$latest$

    </search>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.text">Time</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.text">Resp. Time (sec)</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">line</option>
    <option name="charting.chart.bubbleMaximumSize">50</option>
    <option name="charting.chart.bubbleMinimumSize">10</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">zero</option>
    <option name="charting.chart.showDataLabels">none</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.placement">bottom</option>
    <option name="charting.seriesColors">[0x990099]</option>
    <option name="height">350</option>
    <option name="refresh.display">progressbar</option>
  </chart>
</panel>

niketn · ‎08-11-2018

@Mohsin123 , you have defined two tokens tokEarliest and tokLatest, but although some of your search query is not visible, but seems like you are using tokens $earliest$ and $latest$

Also on a different note when you use <eval> to set a token for time it would use current system time zone (expecting that to be issue here as Hours seem to have shifted by 4 hours.)

Try to use an independent search to set the tokens instead as explained in the following answer of mine to set the earliest and latest time tokens: https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

Also validate with string time to ensure that token is getting set properly first!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Mohsin123 · ‎08-10-2018

@niketnilay can u pls help here

Mohsin123 · ‎08-10-2018

@woodcock could you please help here

Mohsin123 · ‎08-10-2018

@renjith.nair Hi Renjith, could you pls help here , hope u remb me ...i reported u mistakenly while rewarding you 😛

Earliest latest

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk