All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

TimeRangePicker as intention

menkurau
Path Finder
‎02-26-2013 03:50 PM

I would like to use the timerangepicker to pass the chosen date as an intention to a search. However, in reading the docs it does not appear to be something that can be done. I have looked a bit at Sideview but it does not appear to solve the problem. Can this be done?

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎02-27-2013 11:48 PM

No I don't think there's any way to have the TimeRangePicker's timerange plugged into an intention. Not without patching the relevant javascript a bit yourself.

This is I think quite possible with Sideview Utils, although Sideview Utils does away with the need for intentions so it's a bit different. You wouldn't plug the TimeRangePicker's arguments into an intention which then gets plugged into a search - you would simply plug the TimeRangePicker's arguments directly into the search, or into an HTML module, etc..

As an example, lets say you wanted to use the TimeRangePicker to determine the timerange for a particular search that gives back a set of hosts, but then you want to take all those hosts, and search for all the activity for those hosts, but just in the last 24 hours. In other words this is using the timerange only in a subsearch, and not in the outer search. 

<module name="TimeRangePicker">
  <param name="selected">last 24 hours</param>
  <param name="searchWhenChanged">True</param>

  <module name="Search">
    <param name="search">search * [search earliest="$search.timeRange.earliest$" latest="$search.timeRange.latest$" | dedup host | fields host ] | timechart count 
    <param name="earliest">-24h</param>
    <param name="latest">now</param>

    <module name="JSChart" />
  </module>
</module>

Hopefully that helps. There's a great deal of documentation inside the Sideview Utils itself that can tell you more. Make sure to get the latest version from the Sideview site (http://sideviewapps.com/apps/sideview-utils ) rather than the much older version that's on Splunkbase.

Reply

sideview
SplunkTrust
SplunkTrust
‎05-15-2013 11:05 AM

Actually, never do that, ie putting $search.timeRange.earliest$ into the earliest param. Its completely redundant in all cases. 😃 You're making something trivial into something complex.

The outer search will pick up the TRP's arguments if earliest/latest are not set explicitly. And the subsearch will pick up whatever the outer search has, unless the subsearch contains explicit earliest="foo" and/or latest="bar" terms. And indeed if you put time terms into the subsearch you'll always get those nag messages. I can tell you how to remove them if they're appearing in the UI.

0 Karma
Reply

brettcave
Builder
‎05-15-2013 08:13 AM

Awesome, loving sideview 🙂

QUick question: if I set 

<param name="earliest">$search.timeRange.earliest$</param>

would that still extract the active hosts from the selected time period, but return all events between $earliest$ and now? I have tried, but not sure which times are being overridden, as I see:

[subsearch]: [subsearch]: [subsearch]: Your timerange was substituted based on your search string
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...