Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dashboard Input Error When Time Is Set As "All Time"

LuiesCui
Communicator
‎03-04-2015 09:50 PM

hey guys, i'm new to splunk and i really need ur help!!!
i built a form with an input

<input type="time" token="time1" searchWhenChanged="true">
  <label>Time</label>
  <default>
    <earliestTime>-24h@d</earliestTime>
    <latestTime>@d</latestTime>
  </default>
</input>

and my search string is

<query>
    index=ha  "ha_fids: Terminating CM"  earliest=$time1.earliest$ latest=$time1.latest$ 
    | eval time=_time  
    | stats count by time 
    | SORT -time 
    | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(time)
    | rename time as WarningTime 
    | table WarningTime 
</query>

everything works fine except an error occurs when i choose "all time" on the input bar :

"Error in 'search' command: unable to parse the search: Comparator '=' is missing a term on the right hand side."

my guess was when i choose "all time", earliest=$time1.earliest$, which is null. so i tried with double quotes around the tokens.

earliest="$time1.earliest$" latest="$time1.latest$"

no errors occur and no results are found. so how do i correct my search string?

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

stephane_cyrill
Builder
‎03-05-2015 02:11 AM

Hi Luies,

I see that you are using splunk 6.2 if it is the case we change earliestTime and latestTime into earliest and latest in your input setting

Try to to use the time range like this:enter code here

<search>
 <query>
     index=ha  "ha_fids: Terminating CM"  
     | eval time=_time  
     | stats count by time 
     | SORT -time 
     | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(time)
     | rename time as WarningTime 
     | table WarningTime 
 </query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
</search>

View solution in original post

Reply
Solved! Jump to solution
Solution

stephane_cyrill
Builder
‎03-05-2015 02:11 AM

Hi Luies,

I see that you are using splunk 6.2 if it is the case we change earliestTime and latestTime into earliest and latest in your input setting

Try to to use the time range like this:enter code here

<search>
 <query>
     index=ha  "ha_fids: Terminating CM"  
     | eval time=_time  
     | stats count by time 
     | SORT -time 
     | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(time)
     | rename time as WarningTime 
     | table WarningTime 
 </query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
</search>
Reply
Solved! Jump to solution

thirumalreddyb
Communicator
‎05-16-2016 10:37 AM

What if those tokens should work on a sub-search?

0 Karma
Reply
Solved! Jump to solution

markthompson
Builder
‎03-05-2015 01:17 AM

Your problem here is that "All time" doesn't use an earliest or latest time, it simply searches through everything. Which is probably whats causing your error, Why are you using earliest and latest time in your searches? Surely you should use a timepicker in your dashboard and use those values as your search string.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...