Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to pass dynamic value according to time picker in span

ektasiwani
Communicator
‎08-03-2015 12:10 AM

I want to give span in query according to the time range selected by user.
I tried something like this , but its giving error for bucket/span.
How can i pass variable in span?

 index="main" sourcetype=*** orig="*" product=****  | eval latest=[|gentimes start=-1 | addinfo | eval search=info_max_time | head 1 |table search] | eval earliest=[|gentimes start=-1 | addinfo | eval search=info_min_time | head 1 |table search] | eval time_span= round((latest-earliest)/3600,0)  | strcat time_span "h"  span_ryt | bucket _time span=span_ryt  | stats count by _time

i tried assigning value to span_ryt and passing same to span. but its not working.

Thnaks

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎08-03-2015 04:16 AM

You can't do that. Using a variable for a span argument is simply not possible. However, you can use a search macro!

Set up your macro like this: 

[myBucket(1)]
args = span
definition = bucket _time span=$span$

And use it like this:

... | strcat time_span "h"  span_ryt | `myBucket(span_ryt)`  | stats count by _time

This will perform the search you defined, but replace the token with the string you created.

For more information on macros and macros.conf : http://www.splunk.com/base/Documentation/6.2.4/Admin/Macrosconf?r=splunky

0 Karma
Reply

ektasiwani
Communicator
‎08-03-2015 04:53 AM

i tried same thing.
still its giving below error:

Error in 'bucket' command: The value for option span (span_ryt) is invalid.

index="main" sourcetype="***" orig="*" product="***"  | eval latest=[|gentimes start=-1 | addinfo | eval search=info_max_time | head 1 |table search] | eval earliest=[|gentimes start=-1 | addinfo | eval search=info_min_time | head 1 |table search] | eval time_span= round((latest-earliest)/3600,0)  | strcat time_span "h"  span_ryt | `myBucket(span_ryt)`  | stats count by _time

I changed the macros file as u told and copied it in ../etc/apps/myapp/default/

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎08-03-2015 04:56 AM

Try removing the strcat and using an eval.

eval span_ryt = time_span ."h"

Make sure that the field is shown in the interesting fields list with the correct value.

0 Karma
Reply

ektasiwani
Communicator
‎08-03-2015 05:06 AM

I tried this, its giving same error.
tried printing span_ryt and i am getting correct value.

when i am passing my query as 

...|  eval span_ryt = time_span ."h"| `myBucket(72h)`| stats count by _time

I am getting desired output.

But when i am trying with this 

.....| eval span_ryt=time_span . "h"| `myBucket(span_ryt)`  | stats count by _time

I am getting this error "Error in 'bucket' command: The value for option span (span_ryt) is invalid."

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...