Dashboards & Visualizations

How to apply selected timeframe to accelerated saved search on dashboard panel?

twinspop
Influencer

I've got a search created with acceleration enabled. For the sake of argument, the search is defined to run @d.

Now I want to include this search on a dashboard that includes a time selector. It will default to @d, but I'd like people to be able to pull up historical results. How do i get the selected timeframe to be applied to the accelerated saved search?

Use searchTemplate with a call to savedsearch? How do I apply the time selection?

EDIT: Still more details: I'm trying to re-use the same saved/accelerated search in multiple panels with different stats commands after the primary search. I don't think searchTemplate works here, and using searchName doesn't give the option to post-process the results.

1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You can use a time range picker and the <earliestTime>/<latestTime> tags as usual:

<form>
  <fieldset submitButton="false">
    <input type="time" token="time">
      <label/>
      <default>
        <earliestTime>0</earliestTime>
        <latestTime/>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <searchName>foo</searchName>
        <earliestTime>$time.earliest$</earliestTime>
        <latestTime>$time.latest$</latestTime>
      </table>
    </panel>
  </row>
</form>

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

You can use a time range picker and the <earliestTime>/<latestTime> tags as usual:

<form>
  <fieldset submitButton="false">
    <input type="time" token="time">
      <label/>
      <default>
        <earliestTime>0</earliestTime>
        <latestTime/>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <searchName>foo</searchName>
        <earliestTime>$time.earliest$</earliestTime>
        <latestTime>$time.latest$</latestTime>
      </table>
    </panel>
  </row>
</form>

View solution in original post

twinspop
Influencer

That works. Thanks!

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You could take an entirely different route - move your basic search to a macro, put that macro in a saved search to be accelerated, and use the macro to start off your <searchString> tags.

0 Karma

twinspop
Influencer

Ah, yeah, that works for a basic search. I was using <searchString>| savedsearch foo | stats .... </searchString> because I want to re-use the same saved/accelerated search in a few different panels with some different stats commands. Any way to accomplish that? As far as I can tell, searchTemplate (with postProcess) ignores the timeframe qualifiers.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!