Refine your search:

Change search query by time range

0

Can I create a dashboard that the searches depend on time range selected?

For my case, I want to query 24 hours data from original index and timechart span=5min When user selected time range larger than 24 hours, then it will search data from summary index and with timechart span=1h.

Does TimeRangePicker allow such customization? Or I need to use Sideview?

Philip

asked 11 May '12, 02:22

philip.wong's gravatar image

philip.wong
413
accept rate: 0%

2 Answers:
oldestnewestmost voted
1

There's a "hack" that allows you to choose a different summary index as the query-source depending on the selected timerange:

<your search> [ stats count | addinfo | eval range=info_max_time - info_min_time | eval search=if(range<=86400, "index=summary1", "index=summary2") ]

So this will expand to index=summary1 <your search> if the selected timerange is less than a day and index=summary2 <your search> otherwise.

Unfortunately this can't be used to alter the span parameter for the timerange command.

link

answered 11 May '12, 04:30

ziegfried's gravatar image

ziegfried ♦
10.1k1618
accept rate: 52%

Thank you so much! I think it can really solve my problem.

I'd like to learn more.

  1. "addinfo" allows us to post-process the search?
  2. Is it a must to have "stats count"?
  3. If I need to run a timechart here, so it should be done by this?

<your search=""> [ stats count | addinfo | eval range=info_max_time - info_min_time | eval search=if(range<=86400, "index=summary1", "index=summary2") ] | timechart count

I think span is not a big concern

(14 May '12, 23:26) philip.wong
0

If you don't explicitly specify a span for timechart it will pick an appropriate span automatically, which should be the easiest way of solving what you want to accomplish.

link

answered 11 May '12, 02:39

Ayn's gravatar image

Ayn
25.3k3717
accept rate: 41%

Indeed I have tried. Seems Splunk won't choose span=5min. (I guess 15min is the default minimal)

And I still have problem to make my index to be dynamic...

Thanks!

(11 May '12, 02:42) philip.wong

Ah, I missed the part of using the summary index instead of the default, sorry. To my knowledge this is not possible to do (or at least not easily done).

(11 May '12, 02:51) Ayn

Yes... badly it becomes my next problem now... I tried to fix the span=5m. But it's fine to retrieve per 1h data from summary index for 7 days. But if I change the range to 30 days, it will show nothing in timechart!

(15 May '12, 01:21) philip.wong
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×473
×275
×3

Asked: 11 May '12, 02:22

Seen: 760 times

Last updated: 15 May '12, 01:21

Related questions

advanced xml coding

[closed] advanced xml reporting

Problems controlling time range in dashboards

How does Deployment Monitor Dashboard suppress time range messages?

advanced dashboard canceling search?

HIddenPostProcess narrow time range

How to "Just" link to my dashboard view from "Single Value" without dispatching a search

Apply filters to a Google Map module (Advanced XML Dashboard)

tokens in advanced xml?

Copyright © 2005-2012 Splunk Inc. All rights reserved.