Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get earliest and latest from time filter?

asubramanian
Explorer
‎10-11-2019 12:14 PM

I am using a dashboard with some filters including the built int time input for the events.

For the queries in the chart Iam using $duration.earliest$ and $duration.latest$ for earliest and latest window.

below is a sample query in the dashboard and how I am fetching the time from the time input filter.

index=my_index
 earliest=$duration.earliest$
 latest=$duration.latest$
 "Log Message"
 | timechart count by sourcetype limit=0

It works for the preset for relative duration like last 7 days, 30 days etc but when I click All time it doesnt work. Looking at the query both this are set to empty values.

For all time shouldn't the evaluated values be set as earliest=1 latest=now ?

Similar error when I use realtime when I use real time of 10 day window the query becomes
earliest=rt-10d latest=rtnow and errors out as " Invalid value "rt-10d" for time term 'earliest'"

Edit: if search is not enabled in the times.conf does it return this error ?

Rest of Presets, relative and time range works without these issues.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-16-2019 01:35 PM

You are doing it wrong. Your dashboard panel should look like this (you can see that the time token values are in the <earliest>$field1.earliest$</earliest> and <latest>$field1.latest$</latest> XML specifiers, NOT in the SPL!

<form>
  <label>Demo Solution</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=my_index AND "Log Message" | timechart limit=0 count BY sourcetype</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>

Check the Dashboard Examples app.

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-16-2019 01:35 PM

You are doing it wrong. Your dashboard panel should look like this (you can see that the time token values are in the <earliest>$field1.earliest$</earliest> and <latest>$field1.latest$</latest> XML specifiers, NOT in the SPL!

<form>
  <label>Demo Solution</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=my_index AND "Log Message" | timechart limit=0 count BY sourcetype</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>

Check the Dashboard Examples app.

Reply
Solved! Jump to solution

asubramanian
Explorer
‎10-16-2019 04:18 PM

Thanks a lot @woodcock passing the filter to tags instead of filter in query language worked.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-11-2019 12:27 PM

Add this to your SPL:

... | addinfo | rename info_* AS _info_*

Then use $results._info_min_time$ and $results._info_max_time.

0 Karma
Reply
Solved! Jump to solution

asubramanian
Explorer
‎10-11-2019 02:44 PM 
index=my_index
| addinfo | rename info_* AS _info_*
earliest=$results._info_min_time$
latest=$results._info_max_time$
"Log Message"
| timechart count by sourcetype limit=0

this is what i am using after change from $duration.earliest$ & $duration.latest$ to the above query, chart gets stuck at waiting for input even when i select some time in my time query.

@woodcock Can you please let me know what I am doing wrong here ?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-12-2019 10:44 AM

I thought that you were talking about dashboards and simplexml. You are going to have to back ALL THE WAY UP and explain exactly what you are doing. It makes no sense at all to me why you would need to do any of this and not just rely on the timepicker's natural behaviour.

0 Karma
Reply
Solved! Jump to solution

asubramanian
Explorer
‎10-15-2019 12:36 PM

@woodcock I am using the time picker. as I mentioned earlier. I have shared the sample query on how I am getting the value from the time picker in my queries. for 'All' and relative times this doesnt work.

0 Karma
Reply
Solved! Jump to solution

asubramanian
Explorer
‎10-11-2019 03:45 PM

Also info_min_time and info_max_time both seem to be fixed values and not configurable from the time search input i.e info_max_time is always infinity and info_min_time is always 0

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...