Splunk Search

Retrieve selected time range from TimeRangePicker

IgorB
Path Finder

Hi.

I'm trying to retrieve a timerange selected in TimeRangePicker from within a downstream module, preferably as earliest/latest in epoch format. Is there a way of achieving that without using SideView Utils?

Thanks in advance,

--Igor

Tags (1)
0 Karma

sideview
SplunkTrust
SplunkTrust

If you are trying to get the nice "2 PM Tuesday August 28 2012" string to be displayed to the end user, then the SimpleResultsHeader module will allow you to put a $time$ token in its "headerFormat" param. But that's about it, and of course it'll display it as a bold header style and you might have to apply some custom CSS.

But if you want to use the time arguments themselves for something, like -24h. Or if you want to do anything besides display the readable label, there's no other way short of writing custom Javascript, or of course using Sideview Utils.

In Sideview Utils, you can use $search.timeRange.earliest$, $search.timeRange.latest$ and $search.timeRange.label$ in almost any Sideview module param and it will substitute in the value at runtime. So for example if you're timerange was (7d@d,now), the earliest token would have the value of "7d@d". The latest token woudl be "now" and the label token would be "in the last 7 days". You can plug these tokens into the HTML module to display, or into the Search module for subsequent searches, or really into any Sideview module for anything.

EXTRA: I just double checked something and actually, although the Sideview PostProcess module allows substitution of $foo$ tokens into postprocess searches, it doesn't actually support these timerange tokens specifically. I'll add that in the next release though, which will be 2.1.3 and which should be out in a week or less.

sideview
SplunkTrust
SplunkTrust

Indeed the aforementioned improvement was made to the Sideview PostProcess module.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...