Solved: Change search query by time range

philip_wong · ‎05-11-2012

Can I create a dashboard that the searches depend on time range selected?

For my case, I want to query 24 hours data from original index and timechart span=5min
When user selected time range larger than 24 hours, then it will search data from summary index and with timechart span=1h.

Does TimeRangePicker allow such customization?
Or I need to use Sideview?

Philip

ziegfried · ‎05-11-2012

There's a "hack" that allows you to choose a different summary index as the query-source depending on the selected timerange:

<your search> [ stats count | addinfo | eval range=info_max_time - info_min_time | eval search=if(range<=86400, "index=summary1", "index=summary2") ]

So this will expand to index=summary1 <your search> if the selected timerange is less than a day and index=summary2 <your search> otherwise.

Unfortunately this can't be used to alter the span parameter for the timerange command.

View solution in original post

ziegfried · ‎05-11-2012

There's a "hack" that allows you to choose a different summary index as the query-source depending on the selected timerange:

<your search> [ stats count | addinfo | eval range=info_max_time - info_min_time | eval search=if(range<=86400, "index=summary1", "index=summary2") ]

So this will expand to index=summary1 <your search> if the selected timerange is less than a day and index=summary2 <your search> otherwise.

Unfortunately this can't be used to alter the span parameter for the timerange command.

philip_wong · ‎05-14-2012

Thank you so much! I think it can really solve my problem.

I'd like to learn more.

"addinfo" allows us to post-process the search?
Is it a must to have "stats count"?
If I need to run a timechart here, so it should be done by this?

[ stats count | addinfo | eval range=info_max_time - info_min_time | eval search=if(range<=86400, "index=summary1", "index=summary2") ] | timechart count

I think span is not a big concern

Ayn · ‎05-11-2012

If you don't explicitly specify a span for timechart it will pick an appropriate span automatically, which should be the easiest way of solving what you want to accomplish.

philip_wong · ‎05-15-2012

Yes... badly it becomes my next problem now...
I tried to fix the span=5m. But it's fine to retrieve per 1h data from summary index for 7 days. But if I change the range to 30 days, it will show nothing in timechart!

Ayn · ‎05-11-2012

Ah, I missed the part of using the summary index instead of the default, sorry. To my knowledge this is not possible to do (or at least not easily done).

philip_wong · ‎05-11-2012

Indeed I have tried. Seems Splunk won't choose span=5min. (I guess 15min is the default minimal)

And I still have problem to make my index to be dynamic...

Thanks!

Change search query by time range

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation