All Apps and Add-ons

Sideview Utils DateTime Module - Start with Today, Not All Time

markschoonover
Explorer

Working with the DateTime module I'd like to have a default earliest value of today. I've tried this:

Sideview Utils

I've set the default time first in ValueSetter module to pass down to the DateTime module. Setting earliest in the first ValueSetter module doesn't seem to flow down to the DateTime, then down to the second ValueSetter, then to the Search Module. The first ValueSetter doesn't seem to have any impact.

If I set earliest in the second ValueSetter module, that'll work in replacing searching across all time, but when I select another earliest date from the DateTime Module, it doesn't overwrite the earliest value in the second ValueSetter before pushing that value down to the Search Module. Here's the XML:

<view isSticky="False" isVisible="true" onunloadCancelJobs="true" template="dashboard.html">
      <label>Skunk Works</label>

      <module name="AccountBar" layoutPanel="appHeader" />

      <module name="AppBar" layoutPanel="appHeader" />

      <module name="SideviewUtils" layoutPanel="appHeader" />

      <module name="Message" layoutPanel="messaging">
        <param name="filter">*</param>
        <param name="maxSize">2</param>
        <param name="clearOnJobDispatch">False</param>
      </module>

      <module name="HTML" layoutPanel="viewHeader">
        <param name="html"><![CDATA[
            <h1>Skunk Works</h1>
            ]]></param>
      </module>

      <module name="DateTime" layoutPanel="panel_row1_col1" autoRun="True">
        <param name="showTimepicker">False</param>
        <param name="name">earliest</param>
        <param name="label">Select Start Day</param>

        <module name="ValueSetter">
          <param name="value">now</param>
          <param name="name">search.timeRange.earliest</param>

          <module name="Search">
            <param name="search">
    search...
    </param>
            <param name="search"><![CDATA[
    search...</param>

            <module name="HTML">
              <param name="html"><![CDATA[
    Tokens by Status, Assignment & Domain: $search.timeRange.label$]]></param>
            </module>

            <module name="HiddenChartFormatter">
              <param name="charting.chart.showDataLabels">all</param>
              <param name="charting.axisY.scale">log</param>
              <param name="charting.axisY.scale">log</param>

              <module name="JSChart">
                <param name="height">550</param>
              </module>
            </module>
          </module>
        </module>
      </module>
    </view>

Is there any way to set a start earliest value so the search doesn't execute across all time?

Mark

1 Solution

sideview
SplunkTrust
SplunkTrust

OK I see the problem here.

Short Version:
it's a bug in DateTime ! It's been filed for a while too so I need to fix it. See below for a workaround.

Long Version

  • Sideview Utils docs teach you that absolutely every kind of communication between modules is through $foo$ tokens. And a lot of things are rewritten or patched by Utils in the framework, to make that more true.

  • And you also learn along the way that the $search.timeRange.earliest$ and $search.timeRange.latest$ tokens are what Sideview uses everywhere to represent the timerange.

Except... technically a couple paces remain where reality isn't so simple. IN particular here, the real timerange is NOT those tokens ultimately, but rather an internal property of a "Search" object that is the value of the "special" $search$ token. ick yes lots of things in that sentence are horrible (and are bring fixed in Canary for that matter).

Anyway, then Sideview modules all have a convention they follow, which really makes it look like the timerange is just $search.timeRange.earliest$ and $search.timeRange.latest$. DateTime however has a bug where it doesn't follow this contract, at least when those tokens come from upstream.

Workaround:

Instead of using a ValueSetter to say, set the $search.timeRange.earliest$ token use this funny looking thing:

<module name="Search">
  <param name="earliest">1506024000</param>
  ...
</module> 

The Search module will change the timerange on the more canonical place, the DateTime module will then pick it up from there, and all will be well.

View solution in original post

0 Karma

sideview
SplunkTrust
SplunkTrust

some side notes about this XML. There are two identical Search params so one of those can be removed. Not entirely sure how the framework picks a winner there but it's just picking one of them.

you might like to know that ValueSetter has a more compact syntax. Instead of this:

<module name="ValueSetter">
  <param name="value">now</param>
  <param name="name">search.timeRange.earliest</param>

you can do this:

now

And for that matter instead of this:

<module name="HiddenChartFormatter">
  <param name="charting.chart.showDataLabels">all</param>
  <param name="charting.axisY.scale">log</param>
  <param name="charting.axisY.scale">log</param>

you can do this:

<module name="ValueSetter">
  <param name="arg.charting.chart.showDataLabels">all</param>
  <param name="arg.charting.axisY.scale">log</param>
  <param name="arg.charting.axisY.scale">log</param>
0 Karma

sideview
SplunkTrust
SplunkTrust

OK I see the problem here.

Short Version:
it's a bug in DateTime ! It's been filed for a while too so I need to fix it. See below for a workaround.

Long Version

  • Sideview Utils docs teach you that absolutely every kind of communication between modules is through $foo$ tokens. And a lot of things are rewritten or patched by Utils in the framework, to make that more true.

  • And you also learn along the way that the $search.timeRange.earliest$ and $search.timeRange.latest$ tokens are what Sideview uses everywhere to represent the timerange.

Except... technically a couple paces remain where reality isn't so simple. IN particular here, the real timerange is NOT those tokens ultimately, but rather an internal property of a "Search" object that is the value of the "special" $search$ token. ick yes lots of things in that sentence are horrible (and are bring fixed in Canary for that matter).

Anyway, then Sideview modules all have a convention they follow, which really makes it look like the timerange is just $search.timeRange.earliest$ and $search.timeRange.latest$. DateTime however has a bug where it doesn't follow this contract, at least when those tokens come from upstream.

Workaround:

Instead of using a ValueSetter to say, set the $search.timeRange.earliest$ token use this funny looking thing:

<module name="Search">
  <param name="earliest">1506024000</param>
  ...
</module> 

The Search module will change the timerange on the more canonical place, the DateTime module will then pick it up from there, and all will be well.

View solution in original post

0 Karma

sideview
SplunkTrust
SplunkTrust

I see you're using our Editor, which is great. Can you fish out the XML for those four modules from "Settings>User Interface > Views" and paste it into the question? that'll show all the params and values.

I think I know what the problem is, but want to make sure first.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!