Dashboards & Visualizations
Highlighted

Timerangepicker earliest problem

Motivator

Hi,

I have a view with a chart that uses the timerangepicker module. The index which is used to display data in this chart has data going back as far as January 2012. However, I only want to be able to use the timerangepicker to return data from July 2012.

The two cases I am seeing are as follows:
1) If I try to add the earliest param to my hiddensearch for this chart, the timerangepicker does not work at all when the hiddensearch is inside the timerangepicker module code.
2) If I place the timerangepicker inside of the hiddensearch module code, then the earliest param is ignored when I set the timerangepicker to 'All time'

What I would like is that no mattter how far back you set the timerangepicker, it will not return data prior to July 2012. So if I choose 'All time' the chart will not return the data from January through June 2012 end.

Is there a way of getting this behaviour in a view?

Thanks in advance for your help.

0 Karma
Highlighted

Re: Timerangepicker earliest problem

Motivator

did you try by using your own custom times.conf ?

Highlighted

Re: Timerangepicker earliest problem

Motivator

I don't want to create custom times. I want to limit how far back you can retrieve data from. E.g. I don't want users to see data before September 1st 2012 so if they choose 'Last 30 days' on the standard timerangepicker, it will not return data before September 1st 2012 although data exists for Aughust 31st 2012.

0 Karma
Highlighted

Re: Timerangepicker earliest problem

Motivator

i dont believe you can do that outside modifying the timerangepicker module code...but let's see if someone has other ideas.

0 Karma
Highlighted

Re: Timerangepicker earliest problem

Motivator

Either don't store it or you will need to either modify timerangepicker (as MarioM suggests) or write a custom module to filter the timerange. Or don't store the data.

0 Karma
Highlighted

Re: Timerangepicker earliest problem

Communicator

I solved the same problem by inserting a time filtering clause into my main search. Then you can use TimeRangePicker after the search and it will work.

Here is how the Advanced XML code sample looks like:

< module name="Search" autoRun="False" >
              < param name="search" >
                sourcetype="Updates" UpdateSet="$UpdateSet$" UpdateName="$UpdateName$"
                table _time, UpdateSize |
                eval epoch = strptime("06/01/2012:12:00:00", "%m/%d/%Y:%H:%M:%S") | where _time > epoch
              < /param >    
              < module name="TimeRangePicker" >
                < param name="label" > Time range: < /param >
                < param name="selected" > Last 7 days < /param >
                < param name="searchWhenChanged" > false < /param >
Highlighted

Re: Timerangepicker earliest problem

Motivator

Thanks for responding

0 Karma
Highlighted

Re: Timerangepicker earliest problem

SplunkTrust
SplunkTrust

Well, one advanced but unobtrusive way to do this, at least given that you're already in a custom view, is to use the head command with a predicate.

The head command can be given a condition basically, and when it hits that condition it shuts down the streaming portion of the search.

<other search terms> | eval nevermore = strptime("06/01/2012:12:00:00", "%m/%d/%Y:%H:%M:%S") | head (_time>nevermore) | fields - nevermore

However if the search terms appearing before have any non-streaming commands, you might be careful. I think that head will shut down the streaming portion even if it's itself inserted into the search pipeline after the end of the streaming portion, but again you might keep an eye on that.

View solution in original post

Highlighted

Re: Timerangepicker earliest problem

Motivator
0 Karma