All Apps and Add-ons

Is it possible to save the TimeRangePicker value?

kragel
Path Finder

I'm trying to execute multiple searches using the same value selected with TimeRangePicker. After the first search it appears that search resets to "(latest indexed event)". I don't want to present another TimeRangePicker each time I do a new search. I'd like to save the original setting for each future search. Any ideas? Thank you.

Here's the code where I have to present another TimeRangePicker to the user:

    <module name="TextField" layoutPanel="panel_row1_col1">
      <module name="Button">
        <param name="allowSoftSubmit">True</param>
        <module name="TimeRangePicker">
          <param name="default">Last 4 hours</param>
          <module name="Search">
            <param name="search">host=smtphost* |table _time,to
            <module name="JobProgressIndicator"/>
              <module name="Pager">
                <param name="count">10</param>
                <module name="Table">
                  <param name="hiddenFields"></param>
                  <module name="TimeRangePicker">
                    <param name="default">Last 4 hours</param>
                    <module name="Search" autoRun="False">
                      <param name="search">$row.fields.qid$ msgid | table _time,msgid</param>
                      <module name="JobProgressIndicator"/>
                      <module name="Pager">
                        <param name="count">10</param>
                        <module name="Table">
                          <param name="hiddenFields"></param>
1 Solution

sideview
SplunkTrust
SplunkTrust

In inline drilldown, if the user ever interacts with a Table, JSChart, FlashChart, or SimpleResultsTable module that has values for both _time and _span, then the drilldown automatically incorporates the absolute timerange of that row, as the timerange argument for subsequent drilldown searches.

timechart obviously outputs _time, although you may never have noticed or thought about the _span field that it outputs as well.

What's happening here, is that the drilldown sees the _time, but not the span, so it sets a timerange that is bounded on the earliest side by that time, and that is unbounded on the latest side. This is sort of the best it can do.

If you dont want this behavior, and you want the upstream TimeRangePicker to keep on applying, you can just rename the_time field to something else... once it's not called "_time", the UI wont do anything special to make it readable so it'll become a weird integer representing the number of seconds since 1970. But you can use eval with strftime() as necessary to convert it to a nice readable string-formatted time.

This has come up on quite a lot of other answers posts. Here is a good one. And while I dont think you technically do need to preserve the TimeRangePicker argument here for use downstream, the answer here does tell you how to do that.
http://answers.splunk.com/answers/81191/is-their-a-way-to-preserve-the-time-selected-value-from-time...

View solution in original post

sideview
SplunkTrust
SplunkTrust

In inline drilldown, if the user ever interacts with a Table, JSChart, FlashChart, or SimpleResultsTable module that has values for both _time and _span, then the drilldown automatically incorporates the absolute timerange of that row, as the timerange argument for subsequent drilldown searches.

timechart obviously outputs _time, although you may never have noticed or thought about the _span field that it outputs as well.

What's happening here, is that the drilldown sees the _time, but not the span, so it sets a timerange that is bounded on the earliest side by that time, and that is unbounded on the latest side. This is sort of the best it can do.

If you dont want this behavior, and you want the upstream TimeRangePicker to keep on applying, you can just rename the_time field to something else... once it's not called "_time", the UI wont do anything special to make it readable so it'll become a weird integer representing the number of seconds since 1970. But you can use eval with strftime() as necessary to convert it to a nice readable string-formatted time.

This has come up on quite a lot of other answers posts. Here is a good one. And while I dont think you technically do need to preserve the TimeRangePicker argument here for use downstream, the answer here does tell you how to do that.
http://answers.splunk.com/answers/81191/is-their-a-way-to-preserve-the-time-selected-value-from-time...

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...