Re: How to add to or subtract one hour to time tok...

jravida · ‎02-25-2016

Hi folks,

I'm running the transaction command in a drilldown panel that passes the times picked on the timechart down to the next panel as tokens. The problem I run into is where the transactions don't fall within the hour slice, I want the token to subtract an hour from the earliest time, and add an hour to the latest, so I can encompass the transaction.

I tried $earliest_time$ - 1h

Splunk says "Invalid earliest_time"

Is there a way to offset the tokens this way?

hopnscotch · ‎06-29-2016

Did you ever find a solution to this?

I've tried so many combinations of 'possible solutions' I've seen posted, but none of them have worked for me.

jeffland · ‎02-26-2016

You could change your token before it is consumed by the search. Do this in your drilldown:

    <eval token="time_tok_plus_1h_earliest">relative_time(relative_time(now(), 'earliest'), "+1h")</eval>
    <eval token="time_tok_plus_1h_latest">relative_time(relative_time(now(), 'latest'), "+1h")</eval>

Replace earliest and latest with wherever your values come from, e.g. click.value.

somesoni2 · ‎02-25-2016

I guess the earliest and latest value that you get from the drilldown will in epoch, so try one of these in the drilldown search

your base search earliest=($earliest_time$-3600) ...rest of the search

OR

your base search [| gentimes start=-1 |eval earliest=$earliest_time$-3600 | table earliest ]

How to add to or subtract one hour to time tokens to be passed in a drilldown?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...