I'm trying to execute multiple searches using the same value selected with TimeRangePicker. After the first search it appears that search resets to "(latest indexed event)". I don't want to present another TimeRangePicker each time I do a new search. I'd like to save the original setting for each future search. Any ideas? Thank you.
Here's the code where I have to present another TimeRangePicker to the user:
<module name="TextField" layoutPanel="panel_row1_col1">
<module name="Button">
<param name="allowSoftSubmit">True</param>
<module name="TimeRangePicker">
<param name="default">Last 4 hours</param>
<module name="Search">
<param name="search">host=smtphost* |table _time,to
<module name="JobProgressIndicator"/>
<module name="Pager">
<param name="count">10</param>
<module name="Table">
<param name="hiddenFields"></param>
<module name="TimeRangePicker">
<param name="default">Last 4 hours</param>
<module name="Search" autoRun="False">
<param name="search">$row.fields.qid$ msgid | table _time,msgid</param>
<module name="JobProgressIndicator"/>
<module name="Pager">
<param name="count">10</param>
<module name="Table">
<param name="hiddenFields"></param>
In inline drilldown, if the user ever interacts with a Table, JSChart, FlashChart, or SimpleResultsTable module that has values for both _time and _span, then the drilldown automatically incorporates the absolute timerange of that row, as the timerange argument for subsequent drilldown searches.
timechart obviously outputs _time, although you may never have noticed or thought about the _span field that it outputs as well.
What's happening here, is that the drilldown sees the _time, but not the span, so it sets a timerange that is bounded on the earliest side by that time, and that is unbounded on the latest side. This is sort of the best it can do.
If you dont want this behavior, and you want the upstream TimeRangePicker to keep on applying, you can just rename the_time field to something else... once it's not called "_time", the UI wont do anything special to make it readable so it'll become a weird integer representing the number of seconds since 1970. But you can use eval with strftime() as necessary to convert it to a nice readable string-formatted time.
This has come up on quite a lot of other answers posts. Here is a good one. And while I dont think you technically do need to preserve the TimeRangePicker argument here for use downstream, the answer here does tell you how to do that.
http://answers.splunk.com/answers/81191/is-their-a-way-to-preserve-the-time-selected-value-from-time...
In inline drilldown, if the user ever interacts with a Table, JSChart, FlashChart, or SimpleResultsTable module that has values for both _time and _span, then the drilldown automatically incorporates the absolute timerange of that row, as the timerange argument for subsequent drilldown searches.
timechart obviously outputs _time, although you may never have noticed or thought about the _span field that it outputs as well.
What's happening here, is that the drilldown sees the _time, but not the span, so it sets a timerange that is bounded on the earliest side by that time, and that is unbounded on the latest side. This is sort of the best it can do.
If you dont want this behavior, and you want the upstream TimeRangePicker to keep on applying, you can just rename the_time field to something else... once it's not called "_time", the UI wont do anything special to make it readable so it'll become a weird integer representing the number of seconds since 1970. But you can use eval with strftime() as necessary to convert it to a nice readable string-formatted time.
This has come up on quite a lot of other answers posts. Here is a good one. And while I dont think you technically do need to preserve the TimeRangePicker argument here for use downstream, the answer here does tell you how to do that.
http://answers.splunk.com/answers/81191/is-their-a-way-to-preserve-the-time-selected-value-from-time...