- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Timerangepicker earliest problem
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have a view with a chart that uses the timerangepicker module. The index which is used to display data in this chart has data going back as far as January 2012. However, I only want to be able to use the timerangepicker to return data from July 2012.
The two cases I am seeing are as follows:
1) If I try to add the earliest param to my hiddensearch for this chart, the timerangepicker does not work at all when the hiddensearch is inside the timerangepicker module code.
2) If I place the timerangepicker inside of the hiddensearch module code, then the earliest param is ignored when I set the timerangepicker to 'All time'
What I would like is that no mattter how far back you set the timerangepicker, it will not return data prior to July 2012. So if I choose 'All time' the chart will not return the data from January through June 2012 end.
Is there a way of getting this behaviour in a view?
Thanks in advance for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, one advanced but unobtrusive way to do this, at least given that you're already in a custom view, is to use the head command with a predicate.
The head command can be given a condition basically, and when it hits that condition it shuts down the streaming portion of the search.
<other search terms> | eval nevermore = strptime("06/01/2012:12:00:00", "%m/%d/%Y:%H:%M:%S") | head (_time>nevermore) | fields - nevermore
However if the search terms appearing before have any non-streaming commands, you might be careful. I think that head will shut down the streaming portion even if it's itself inserted into the search pipeline after the end of the streaming portion, but again you might keep an eye on that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, one advanced but unobtrusive way to do this, at least given that you're already in a custom view, is to use the head command with a predicate.
The head command can be given a condition basically, and when it hits that condition it shuts down the streaming portion of the search.
<other search terms> | eval nevermore = strptime("06/01/2012:12:00:00", "%m/%d/%Y:%H:%M:%S") | head (_time>nevermore) | fields - nevermore
However if the search terms appearing before have any non-streaming commands, you might be careful. I think that head will shut down the streaming portion even if it's itself inserted into the search pipeline after the end of the streaming portion, but again you might keep an eye on that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. This question has also been answered here: http://splunk-base.splunk.com/answers/57684/limit-how-far-back-you-can-retrieve-data-regardless-of-t...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I solved the same problem by inserting a time filtering clause into my main search. Then you can use TimeRangePicker after the search and it will work.
Here is how the Advanced XML code sample looks like:
< module name="Search" autoRun="False" >
< param name="search" >
sourcetype="Updates" UpdateSet="$UpdateSet$" UpdateName="$UpdateName$"
table _time, UpdateSize |
eval epoch = strptime("06/01/2012:12:00:00", "%m/%d/%Y:%H:%M:%S") | where _time > epoch
< /param >
< module name="TimeRangePicker" >
< param name="label" > Time range: < /param >
< param name="selected" > Last 7 days < /param >
< param name="searchWhenChanged" > false < /param >
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for responding
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
did you try by using your own custom times.conf ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Either don't store it or you will need to either modify timerangepicker (as MarioM suggests) or write a custom module to filter the timerange. Or don't store the data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i dont believe you can do that outside modifying the timerangepicker module code...but let's see if someone has other ideas.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't want to create custom times. I want to limit how far back you can retrieve data from. E.g. I don't want users to see data before September 1st 2012 so if they choose 'Last 30 days' on the standard timerangepicker, it will not return data before September 1st 2012 although data exists for Aughust 31st 2012.
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
