All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Change search query by time range

philip_wong
Communicator
‎05-11-2012 02:22 AM

Can I create a dashboard that the searches depend on time range selected?

For my case, I want to query 24 hours data from original index and timechart span=5min
When user selected time range larger than 24 hours, then it will search data from summary index and with timechart span=1h.

Does TimeRangePicker allow such customization?
Or I need to use Sideview?

Philip

Reply
1 Solution
Solved! Jump to solution
Solution

ziegfried
Influencer
‎05-11-2012 04:30 AM

There's a "hack" that allows you to choose a different summary index as the query-source depending on the selected timerange:

<your search> [ stats count | addinfo | eval range=info_max_time - info_min_time | eval search=if(range<=86400, "index=summary1", "index=summary2") ]

So this will expand to index=summary1 <your search> if the selected timerange is less than a day and index=summary2 <your search> otherwise.

Unfortunately this can't be used to alter the span parameter for the timerange command.

View solution in original post

Reply
Solved! Jump to solution
Solution

ziegfried
Influencer
‎05-11-2012 04:30 AM

There's a "hack" that allows you to choose a different summary index as the query-source depending on the selected timerange:

<your search> [ stats count | addinfo | eval range=info_max_time - info_min_time | eval search=if(range<=86400, "index=summary1", "index=summary2") ]

So this will expand to index=summary1 <your search> if the selected timerange is less than a day and index=summary2 <your search> otherwise.

Unfortunately this can't be used to alter the span parameter for the timerange command.

Reply
Solved! Jump to solution

philip_wong
Communicator
‎05-14-2012 11:26 PM

Thank you so much! I think it can really solve my problem.

I'd like to learn more.

  1. "addinfo" allows us to post-process the search?
  2. Is it a must to have "stats count"?
  3. If I need to run a timechart here, so it should be done by this?

[ stats count | addinfo | eval range=info_max_time - info_min_time | eval search=if(range<=86400, "index=summary1", "index=summary2") ] | timechart count

I think span is not a big concern

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎05-11-2012 02:39 AM

If you don't explicitly specify a span for timechart it will pick an appropriate span automatically, which should be the easiest way of solving what you want to accomplish.

0 Karma
Reply
Solved! Jump to solution

philip_wong
Communicator
‎05-15-2012 01:21 AM

Yes... badly it becomes my next problem now...
I tried to fix the span=5m. But it's fine to retrieve per 1h data from summary index for 7 days. But if I change the range to 30 days, it will show nothing in timechart!

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎05-11-2012 02:51 AM

Ah, I missed the part of using the summary index instead of the default, sorry. To my knowledge this is not possible to do (or at least not easily done).

0 Karma
Reply
Solved! Jump to solution

philip_wong
Communicator
‎05-11-2012 02:42 AM

Indeed I have tried. Seems Splunk won't choose span=5min. (I guess 15min is the default minimal)

And I still have problem to make my index to be dynamic...

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...