Dashboards & Visualizations

How to programmatically set time range configuration values with UNIX epoch

cguedes
Engager

I want to programmatically change/add stanza configurations to times.conf using UNIX epoch times.

In the Splunk's UI we can change time range configurations ( settings -> user interface -> time ranges ). But the UI does not allow to set/update values of earliest/latest times with UNIX epoch values. It give the following error:

Encountered the following error while trying to update: In handler 'conf-times': Invalid time: 1429848000

I've also tried without success the Configuration endpoint REST API. The API give the following error:

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">
 In handler 'conf-times': Invalid time: 1429858700</msg>
  </messages>
</response>

But if we edit the times.conf file and configure specific epoch values it works (after restart splunkd). Here is an example of a stanza with this configuration:

[test_run_24_04]
label = Test Run 24/04
earliest_time = 1429848000
latest_time   = 1429858800

This is not a good solution for me because we often need to add custom time ranges. There are another programmatic way of set these values using UNIX epoch?

0 Karma
1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

Editing times.conf to give you a specific time range on data is not a good idea. You will very quickly pollute your Time Range Pickers with tons of data. It would be better to build saved searches with the saved time ranges for each search. You could probably also have a Dropdown populated from a look up with the job run, earliest/latest times in it to execute the search. Static Times in the configuration files defeat the purpose of saved searches and macros and other configurations.

For example, why not use macros?

[test_run_24_04]
definition = earliest = 142984800 latest   = 1429858800

Then in your search:

`test_run_24_04` index=myindex <...other search terms...>

You could even have those macros in a Simple XML Form! (I'm writing this XML from memory, so it will have errors!)

<input type="dropdown"><option name="test run 24 04" >test_run_24_04</option></input>
<search><query>`$myDropDownToken$` index=myindex</query></search>

So this is really short hand, but you get the point. You can use the form to pull the macros defined, and the best part is: Macros are SUPER easy to programmatically define!! Via REST or Via GUI!!!!

View solution in original post

alacercogitatus
SplunkTrust
SplunkTrust

Editing times.conf to give you a specific time range on data is not a good idea. You will very quickly pollute your Time Range Pickers with tons of data. It would be better to build saved searches with the saved time ranges for each search. You could probably also have a Dropdown populated from a look up with the job run, earliest/latest times in it to execute the search. Static Times in the configuration files defeat the purpose of saved searches and macros and other configurations.

For example, why not use macros?

[test_run_24_04]
definition = earliest = 142984800 latest   = 1429858800

Then in your search:

`test_run_24_04` index=myindex <...other search terms...>

You could even have those macros in a Simple XML Form! (I'm writing this XML from memory, so it will have errors!)

<input type="dropdown"><option name="test run 24 04" >test_run_24_04</option></input>
<search><query>`$myDropDownToken$` index=myindex</query></search>

So this is really short hand, but you get the point. You can use the form to pull the macros defined, and the best part is: Macros are SUPER easy to programmatically define!! Via REST or Via GUI!!!!

cguedes
Engager

This solution works fine.

I've used the Splunk REST API to retrieve the macro values to fill a dashboard dropdown, with the following splunk query:

| rest /services/configs/conf-macros | search title=test_run*

The only downside of this solution is the need to use the errormsg field of macro to store the field label. There are a description field but it cannot be edited via the Splunk web interface (its' only editable via .conf file or REST API).

0 Karma

cguedes
Engager

Tnks for the quick answer.
I'm not aware of this macro feature of splunk.
I will test this right away and then I accept this as valid answer if it works.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...