The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.

Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.

Forums: SplunkReporting: Get the time defined by the user

Previous Topic: Number formatting  |   Next Topic: Timechart reports based on summary index


Posts 1–5 of 5
1
posted by: guilleglobant  |  posts
date: March 17, 2010
permalink

I'm building a form with 3 inputs: 2 of them are true/false fields and the last input is a time field.
Then, in a panel I'm running a search with the purpose of computing the percentage on how much time that true/false combination occurred within the time interval defined.
For doing so, I need to get the earliestTime/latestTime or another field with such values.
I already tried to add a token to the input field, and with an "eval" statement, assign it to a String and then printing, so I could see what's saved in that field. However, nothing was shown on screen. I even tried the same with the earliestTime, but again, the same happened.
Any ideas?
Thanks,
Guillermo

2
posted by: emma  |  posts
date: March 17, 2010
permalink

Hi Guillermo,

Is it possible to paste the XML you're working with here?

Thanks,
Emma

3
posted by: guilleglobant  |  posts
date: March 17, 2010
permalink

Hi Emma. Below I'm copying a snippet of the XML file. The part that I'm not copying includes a table panel and a single panel, every one with its searchTemplate.

<form>
<label>Search Form</label>

<fieldset>
<input type="dropdown" token="field1">
<label>First Field</label>
<choice value="true">true</choice>
<choice value="false">false</choice>
<prefix>fieldA="</prefix>
<suffix>"</suffix>
</input>

<input type="dropdown" token="field2">
<label>Second Field</label>
<choice value="true">true</choice>
<choice value="false">false</choice>
<prefix>fieldB="</prefix>
<suffix>"</suffix>
</input>

<input type="time"/>
</fieldset>
<row>
<table>
<title>Down-Time Percentage</title>
<searchTemplate>sourcetype="my_sourcetype" source="my_source" fieldA="true" fieldB="false" | transaction fieldA fieldB maxspan=1d maxpause=30m | stats min(_time) as earliest, max(_time) as latest, sum(duration) as totalDur | eval lapso=(latest-earliest) | eval porcentage=((totalDur/lapso)*100)." %" | eval otracad=info_min_time</searchTemplate>
<fields>porcentage otracad</fields>
</table>
</row>
</form>

4
posted by: gkanapathy  |  posts
date: March 17, 2010
permalink

Yeah, it's basically not possible to get the "earliest" and "latest" time parameters that were passed in to the search from Simple XML or from the search language in general. I would have found it useful at times also (e.g. in subsearches). It is probably a worthwhile enhancement request.

5
posted by: guilleglobant  |  posts
date: March 18, 2010
permalink

That's a shame.
I tried to get the earliest and latest times from the events obtained in the search successfully but they are not the same as the parameters used for the search, because it may be a smaller set of data.
However, thanks guys for your help.