All Apps and Add-ons

Sideview Utils: How to overwrite search timerange with ValueSetter?

DennisMohn
Path Finder

Hi guys,

Once again a question about advanced dashboard building.

I am rebuilding a pretty complex dashboard using Sideview Utils. There are two Preselections to be made from search-populated pulldowns. I am passing the values of these pulldowns to the main stream via the Gate module - which works like a charm for the values needed.

But - the "search" and "timerange" parameters get transferred as well - overwriting the selection of my TimeRangePicker in the main stream. I have tried to reset these values using a ValueSetter - both between the receiving Gate and the TimeRangePicker as well as before the sending Gates. But none of these did it - the initial search in the main stream is always started with the timerange of the Pulldown searches.

I have tried the following settings in different combinations:

  • setting "earliest" and "latest" to the desired values (-15m, now)
  • setting "timerange" to "(-15m,now)"
  • setting "timerange" to "" (blank value)

None of these worked. Please enlighten me ...

1 Solution

sideview
SplunkTrust
SplunkTrust

Well, the Sideview keys for timerange are $search.timeRange.earliest$ and $search.timeRange.latest$. Sideview modules listen for and/or output these keys, as do various legacy Splunk modules as patched by the Sideview code.

However... What sticks out for me is the use of a Sideview Gate module to do simple prepopulation. Using normal methods to prepopulate form elements you wouldn't get this little side effect. And Gate is a super advanced module, designed for much thornier use cases. Granted, there's probably more going on than you're describing, things that have pushed you in the direction of Gate, but if you were to post or email the XML I would be happy to advise (nick [at] sideviewapps.com). If Gate can be factored out of the solution this whole issue would go away.

Also the timerange keys may be a little wonky to actually prepopulate a TimeRangePicker itself. What you may want to do instead, assuming you do actually need Gate for some reason, is whack away the timerange before it crosses the Gate.

 <module name="ValueSetter">
   <param name="arg.search.timeRange.earliest"> </param>
   <param name="arg.search.timeRange.latest"> </param>
   ...outgoing Gate goes here... 

View solution in original post

sideview
SplunkTrust
SplunkTrust

Well, the Sideview keys for timerange are $search.timeRange.earliest$ and $search.timeRange.latest$. Sideview modules listen for and/or output these keys, as do various legacy Splunk modules as patched by the Sideview code.

However... What sticks out for me is the use of a Sideview Gate module to do simple prepopulation. Using normal methods to prepopulate form elements you wouldn't get this little side effect. And Gate is a super advanced module, designed for much thornier use cases. Granted, there's probably more going on than you're describing, things that have pushed you in the direction of Gate, but if you were to post or email the XML I would be happy to advise (nick [at] sideviewapps.com). If Gate can be factored out of the solution this whole issue would go away.

Also the timerange keys may be a little wonky to actually prepopulate a TimeRangePicker itself. What you may want to do instead, assuming you do actually need Gate for some reason, is whack away the timerange before it crosses the Gate.

 <module name="ValueSetter">
   <param name="arg.search.timeRange.earliest"> </param>
   <param name="arg.search.timeRange.latest"> </param>
   ...outgoing Gate goes here... 

DennisMohn
Path Finder

I made use of the Gate module to get rid of the "one parent module" rule. Maybe there are other means to achieve this, but except for the time constratins getting pushed through the gate there haven't been any issues. I will try out your suggestions tomorrow, as I'm already off work with no systems access 🙂

But thanks already for your help, it's highly appreciated!

0 Karma

sideview
SplunkTrust
SplunkTrust

OK. I guess the crux of it is, why was the one parent rule a problem specifically. Send me xml or details if/when you can.

0 Karma

DennisMohn
Path Finder

Main reason for using the Gate was that I have three dynamically filled pulldowns, which do searches over different time ranges. When arranging them in one stream I didn't get the results I expected. Putting them in two streams, and passing the needed fields through a gate did it.

With your description on how to reset the time ranges I might be able to single-stream the dashboard again, resetting the time ranges for the pulldown-searches accordingly.

0 Karma

sideview
SplunkTrust
SplunkTrust

Exactly, yes. Just specify earliest/latest right on the Search module(s) of course. Then the tricky bit is stashing the "outermost" earliest/latest pair for later. Search answers.splunk.com for "stashedEarliest" and a lot of questions/answers come up on exactly this topic.
Once you stashed the outer timerange like this, you can resurrect it at the end with a ValueSetter. Those other answers will show you all the details.

DennisMohn
Path Finder

I have tried your solution - and, lo and behold, it's working 🙂

In addition, with this solution I've been able to redesign the dashboard so the gates are not needed anymore.

Thanks again for your help!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...