Dashboards & Visualizations

Can TimeRangePicker override time in HiddenSavedSearch?

Branden
Builder

I have an advanced dashboard for each host. This dashboard includes a number of HiddenSavedSearches which run every 10-30 minutes depending on the search. The SavedSearch looks back 24 hours.

I want to include a TimeRangePicker so that a user could select a date and get a snapshot of that host at the time specified.

I'm guessing that this will make my HiddenSavedSearches obsolete since they are defined with a -24h range.

For performance reasons, I do not want to give up my HiddenSavedSearches. Am I better off creating a separate dashboard and new set of Saved Searches for these point-in-time snapshots? Or is there a way to get the TimeRangePicker to "override" the -24h in the defined HiddenSavedSearch? I realize I'll lose performance if anything before -24h is selected, but that's okay. I'm just trying to avoid creating a whole new dashboard and whole new set of searches.

Thanks!

1 Solution

sideview
SplunkTrust
SplunkTrust

You can do this sort of thing although it'll seem like a really roundabout way compared to what you're asking.

a TimeRangePicker module, placed downstream from a HiddenSavedSearch is able to override the timerange from the saved search. However it will indeed clobber the scheduled-ness of the old job you want to use. And TimeRangePicker is not smart enough to NOT clobber the job if it notices the timeranges match. That would be nice although it would create a bunch of other problems. And what would cause further trouble is that if the HiddenSavedSearch is configured to pull the results from any scheduled jobs (useHistory=true or useHistory=auto) and there's a TimeRangePicker downstream then it will actually display an error in the UI.
That is because setting HiddenSavedSearch's useHistory param to auto or True means it will pull from the scheduled results but then putting a TimeRangePicker there means it will not. So the system considers this a configuration error.

However this is a request that I've heard from several different people. What I've told them is to look into 'switcher' modules. In the 'UI Examples for 4.1' app on splunkbase (which you should read through carefully if you havent already), there is an example view at something like 'Advanced XML > switcher'.

So you could use a LinkSwitcher or a PulldownSwitcher to give the user a choice between one scheduled version and N specific dynamic versions:

last hour (scheduled) | this hour | real time

Underneath a switcher module there are 3 subtrees of module config. When the first link is clicked it will show the first subtree, the second maps to the second etc.. In this way you can have arbitrarily different config or in this case config that differs only in that HiddenSavedSearch becomes HiddenSearch.

And another way to go is to have two panels/tabs/links/options etc:

last hour (scheduled) | manual

and in the 'manual' subtree you put a TimeRangePicker and let the user pick whatever timerange they want.

View solution in original post

sideview
SplunkTrust
SplunkTrust

You can do this sort of thing although it'll seem like a really roundabout way compared to what you're asking.

a TimeRangePicker module, placed downstream from a HiddenSavedSearch is able to override the timerange from the saved search. However it will indeed clobber the scheduled-ness of the old job you want to use. And TimeRangePicker is not smart enough to NOT clobber the job if it notices the timeranges match. That would be nice although it would create a bunch of other problems. And what would cause further trouble is that if the HiddenSavedSearch is configured to pull the results from any scheduled jobs (useHistory=true or useHistory=auto) and there's a TimeRangePicker downstream then it will actually display an error in the UI.
That is because setting HiddenSavedSearch's useHistory param to auto or True means it will pull from the scheduled results but then putting a TimeRangePicker there means it will not. So the system considers this a configuration error.

However this is a request that I've heard from several different people. What I've told them is to look into 'switcher' modules. In the 'UI Examples for 4.1' app on splunkbase (which you should read through carefully if you havent already), there is an example view at something like 'Advanced XML > switcher'.

So you could use a LinkSwitcher or a PulldownSwitcher to give the user a choice between one scheduled version and N specific dynamic versions:

last hour (scheduled) | this hour | real time

Underneath a switcher module there are 3 subtrees of module config. When the first link is clicked it will show the first subtree, the second maps to the second etc.. In this way you can have arbitrarily different config or in this case config that differs only in that HiddenSavedSearch becomes HiddenSearch.

And another way to go is to have two panels/tabs/links/options etc:

last hour (scheduled) | manual

and in the 'manual' subtree you put a TimeRangePicker and let the user pick whatever timerange they want.

Branden
Builder

Thank you for the detailed response! I am going to look into the Switcher modules. Too bad it can't do the override I asked about, but oh well. I'll give your suggestion a try. Thanks again!

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...