Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to programmatically set time range configuration values with UNIX epoch

cguedes
Engager
‎06-26-2015 03:47 AM

I want to programmatically change/add stanza configurations to times.conf using UNIX epoch times.

In the Splunk's UI we can change time range configurations ( settings -> user interface -> time ranges ). But the UI does not allow to set/update values of earliest/latest times with UNIX epoch values. It give the following error:

Encountered the following error while trying to update: In handler 'conf-times': Invalid time: 1429848000

I've also tried without success the Configuration endpoint REST API. The API give the following error:

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">
 In handler 'conf-times': Invalid time: 1429858700</msg>
  </messages>
</response>

But if we edit the times.conf file and configure specific epoch values it works (after restart splunkd). Here is an example of a stanza with this configuration:

[test_run_24_04]
label = Test Run 24/04
earliest_time = 1429848000
latest_time   = 1429858800

This is not a good solution for me because we often need to add custom time ranges. There are another programmatic way of set these values using UNIX epoch?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎06-26-2015 04:08 AM

Editing times.conf to give you a specific time range on data is not a good idea. You will very quickly pollute your Time Range Pickers with tons of data. It would be better to build saved searches with the saved time ranges for each search. You could probably also have a Dropdown populated from a look up with the job run, earliest/latest times in it to execute the search. Static Times in the configuration files defeat the purpose of saved searches and macros and other configurations.

For example, why not use macros? 

[test_run_24_04]
definition = earliest = 142984800 latest   = 1429858800

Then in your search:

`test_run_24_04` index=myindex <...other search terms...>

You could even have those macros in a Simple XML Form! (I'm writing this XML from memory, so it will have errors!)

<input type="dropdown"><option name="test run 24 04" >test_run_24_04</option></input>
<search><query>`$myDropDownToken$` index=myindex</query></search>

So this is really short hand, but you get the point. You can use the form to pull the macros defined, and the best part is: Macros are SUPER easy to programmatically define!! Via REST or Via GUI!!!!

View solution in original post

Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎06-26-2015 04:08 AM

Editing times.conf to give you a specific time range on data is not a good idea. You will very quickly pollute your Time Range Pickers with tons of data. It would be better to build saved searches with the saved time ranges for each search. You could probably also have a Dropdown populated from a look up with the job run, earliest/latest times in it to execute the search. Static Times in the configuration files defeat the purpose of saved searches and macros and other configurations.

For example, why not use macros? 

[test_run_24_04]
definition = earliest = 142984800 latest   = 1429858800

Then in your search:

`test_run_24_04` index=myindex <...other search terms...>

You could even have those macros in a Simple XML Form! (I'm writing this XML from memory, so it will have errors!)

<input type="dropdown"><option name="test run 24 04" >test_run_24_04</option></input>
<search><query>`$myDropDownToken$` index=myindex</query></search>

So this is really short hand, but you get the point. You can use the form to pull the macros defined, and the best part is: Macros are SUPER easy to programmatically define!! Via REST or Via GUI!!!!

Reply
Solved! Jump to solution

cguedes
Engager
‎07-06-2015 02:54 PM

This solution works fine.

I've used the Splunk REST API to retrieve the macro values to fill a dashboard dropdown, with the following splunk query:

| rest /services/configs/conf-macros | search title=test_run*

The only downside of this solution is the need to use the errormsg field of macro to store the field label. There are a description field but it cannot be edited via the Splunk web interface (its' only editable via .conf file or REST API).

0 Karma
Reply
Solved! Jump to solution

cguedes
Engager
‎06-26-2015 06:14 AM

Tnks for the quick answer.
I'm not aware of this macro feature of splunk.
I will test this right away and then I accept this as valid answer if it works.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...