All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Add default relative time to sideviews datetime module

sbsbb
Builder
‎03-14-2014 09:26 AM

Is it possible to add some default information to the datetime module ?

At the moment, it is empty at startup. Nice would be the ability to set a relative time default value "-15@m" , so that it would have a default value. Would that be possible ?

I guess the problem would be to have system information from the gui without search... ?

Reply

cyndiback
Path Finder
‎03-21-2014 02:22 PM

I've tried using the solution provided but dates are not displaying in the fields when the page is loaded (screenshot included). I am building a form that has a text field for username and then the datetime for earliest and latest. 

  <module name="TextField" layoutPanel="panel_row1_col1">
    <param name="label">Username</param>
    <param name="name">user</param>

    <module name="Search" autoRun="True">
      <param name="latest">@h</param>
      <param name="earliest">-24h@h</param>
      <param name="search"><![CDATA[
| stats count | fields - count | addinfo | rename info_min_time as earliest info_max_time as latest

]]></param>

      <module name="ResultsValueSetter">
        <param name="fields">earliest, latest</param>

          <module name="DateTime">
            <param name="label">Start date:</param>
            <param name="name">earliest</param>

            <module name="DateTime">
              <param name="label">End date:</param>
              <param name="name">latest</param>

              <module name="SubmitButton">
                <param name="allowSoftSubmit">True</param>

screen shot of page

Runtime Debug (datetime after ResultsValueSetter)

Debug Module : DateTime0_3_0

Search values added/modified for downstream modules (none) Normal keys added/modified for downstream modules (none) Search values inherited from upstream
 - search:  | stats count | fields - count | addinfo | rename info_min_time as earliest info_max_time as latest
 - timerange    (-24h@h,@h) over custom relative time range
 - search id    1395436519.1159 Normal keys inherited from upstream
 - user.element [object Object]
 - earliest 1395349200.000 
 - latest   1395435600.000
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎03-24-2014 10:58 AM

You're absolutely right. I'm very sorry about that DateTime technically looks upstream from a timeRange, not for the raw $earliest$ / $latest$ key. (If I made it look for a simple key then things got very ugly wrt permalinks and back button handling). I have updated my answer and it involves a little hoop-jumping with an extra Search module now.

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎03-14-2014 03:42 PM

Remember that the DateTime module only thinks in terms of absolute timeranges. It would have no idea what to do with relative timeranges like "last 24 hours", whose representation in Splunk look something like "-24h@h,@h".

However... yes. Bear with me.

DateTime doesn't have any direct param to set a default value, but like all Sideview form element modules, if it sees a key coming from upstream whose name matches its "name" param, it will try to set itself to that value.

[[CORRECTION : DateTime is actually the exception to this rule. The DateTime module's name param can only be "earliest" or "latest", and it instead looks at the Splunk.TimeRange object that comes down, rather than the raw $earliest$ or $latest$ key. As a result we need to also use a weird trick to turn our $earliest$ and/or $latest$ keys into a timerange. 

<module name="Search">
  <param name="earliest">$earliest$</param>
  <param name="latest">$latest$</param>

]]

1) So a really simple example would be setting it from the URL.

In this page, if the URL had `viewName?earliest=1394836434

<module name="URLLoader" autoRun="True">
  <module name="DateTime">
    <param name="name">earliest</param>
    <param name="label">Search all events after</param>

then the DateTime module would set itself to that time.
(Technically it's not looking at the $earliest$ but rather the TimeRange object put in there by URLLoader)

2) Another simple example would be to set it from a ValueSetter module. 

<module name="ValueSetter" autoRun="True">
  <param name="arg.earliest">1394836434</param>

  <module name="Search">
    <param name="earliest">$earliest$</param>

    <module name="DateTime">
      <param name="name">earliest</param>
      <param name="label">Search all events after</param>

3) And anything you can set from a ValueSetter you can of course set from a ResultsValueSetter module. Meaning that you can have a search that returns time values in epochtime format (seconds since 1/1/1970), and yes you can technically compose a search or postprocess that can get for you the epochtime values of any other timerange, including relative timeranges. Remember to use that Search module to turn the raw key into a timerange and you can do quite a lot as far as prepopulating DateTime modules to dates dynamically.

So for instance in this example the DateTime modules would be populated by default with the absolute timerange of "last 24 hours". 

<module name="Search" layoutPanel="panel_row2_col1" autoRun="True">
  <param name="search">| stats count | fields - count | addinfo | rename info_min_time as earliest info_max_time as latest</param>
  <param name="earliest">-24h@h</param>
  <param name="latest">@h</param>

  <module name="ResultsValueSetter">
    <param name="fields">earliest, latest</param>

    <module name="Search">
      <param name="earliest">$earliest$</param>
      <param name="latest">$latest$</param>

      <module name="DateTime">
        <param name="name">earliest</param>
        <param name="label">From</param>

        <module name="DateTime">
          <param name="name">latest</param>
          <param name="label">To</param>

        ...
        </module>
      </module>
    </module>
  </module>
</module>

The | stats count | fields - count | addinfo | rename info_min_time as earliest info_max_time as latest search is a peculiar business. It's a search that doesn't actually search for anything. It's only purpose is to talk to Splunkd very very quickly, so as to get the addinfo command to convert the timerange for us... Lots of strange little tasks can be washed through the splunk search language where ordinarily you'd have to write some custom javascript code. your mileage of such things my vary. And vary very much in proportion to your love of maintaining custom code. 😃

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎03-24-2014 10:58 AM

You're absolutely right. I'm very sorry about that DateTime technically looks upstream from a timeRange, not for the raw $earliest$ / $latest$ key. (If I made it look for a simple key then things got very ugly wrt permalinks and back button handling). I have updated my answer and it involves a little hoop-jumping with an extra Search module now.

0 Karma
Reply

cyndiback
Path Finder
‎03-21-2014 02:24 PM

My post should have been submitted as a comment to this answer. Using solution I could not get the earliest/latest date/times to display in the DateTime modules by default.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top