All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

form with timerangepicker to postfilter (sideview utils or intentions?)

brettcave
Builder
‎05-15-2013 06:58 AM

I'm building a form that I would like to filter results based on input time range.

Basically have a timerangepicker or similar component, and when the time range is selected, apply it into a search in a specific format.

e.g, to build a report that contains ALL host data, but only for hosts that reported an error within a time range specified by the picker:

<module name="TimeRangePicker"><module name="Button">
<module name="Search">
  <param name="search">
   [ search earliest="$timerange.earliest$" latest="$timerange.latest$" eventtype="SomeSortOfError" | dedup host | fields + host ] .....
  </param>
</module>
</module></module>

So from the example above, I'm looking to try get the time range from the picker into the sub-search, that is used to filter the results.

Any ideas on how to get this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

brettcave
Builder
‎05-15-2013 07:55 AM

Stumbled across the answer: http://splunk-base.splunk.com/answers/77362/timerangepicker-as-intention

 <module name="Search">
  <param name="search">search * [search earliest="$search.timeRange.earliest$" latest="$search.timeRange.latest$" | dedup host | fields host ] | timechart count 
  <param name="earliest">-24h</param>
  <param name="latest">now</param>

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

brettcave
Builder
‎05-15-2013 07:55 AM

Stumbled across the answer: http://splunk-base.splunk.com/answers/77362/timerangepicker-as-intention

 <module name="Search">
  <param name="search">search * [search earliest="$search.timeRange.earliest$" latest="$search.timeRange.latest$" | dedup host | fields host ] | timechart count 
  <param name="earliest">-24h</param>
  <param name="latest">now</param>
0 Karma
Reply
Solved! Jump to solution

brettcave
Builder
‎05-20-2013 01:04 AM

Correct, that's what I am trying to do. The TRP is used as a filter of objects (users registering within a certain time period in my case), while the report needs to be across all data.

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎05-15-2013 10:56 AM

If your intention is to apply the TRP's timerange to just the subsearch, and to run the outer search over the past 24 hours always, then you are absolutely correct. Just posting this comment to make sure.

For others reading who DONT need to do this nuanced use case, if you simply want to run both inner and outer subsearches over the given timerange, it happens automatically and you don't need to do any of this. ie you would just delete earliest="$search.timeRange.earliest$" latest="$search.timeRange.latest$" entirely and let the TimeRangePicker automatically submit its timerange.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...