I have a view with a chart that uses the timerangepicker module. The index which is used to display data in this chart has data going back as far as January 2012. However, I only want to be able to use the timerangepicker to return data from July 2012.
The two cases I am seeing are as follows:
1) If I try to add the earliest param to my hiddensearch for this chart, the timerangepicker does not work at all when the hiddensearch is inside the timerangepicker module code.
2) If I place the timerangepicker inside of the hiddensearch module code, then the earliest param is ignored when I set the timerangepicker to 'All time'
What I would like is that no mattter how far back you set the timerangepicker, it will not return data prior to July 2012. So if I choose 'All time' the chart will not return the data from January through June 2012 end.
Is there a way of getting this behaviour in a view?
Thanks in advance for your help.
I don't want to create custom times. I want to limit how far back you can retrieve data from. E.g. I don't want users to see data before September 1st 2012 so if they choose 'Last 30 days' on the standard timerangepicker, it will not return data before September 1st 2012 although data exists for Aughust 31st 2012.
Either don't store it or you will need to either modify timerangepicker (as MarioM suggests) or write a custom module to filter the timerange. Or don't store the data.
I solved the same problem by inserting a time filtering clause into my main search. Then you can use TimeRangePicker after the search and it will work.
Here is how the Advanced XML code sample looks like:
< module name="Search" autoRun="False" > < param name="search" > sourcetype="Updates" UpdateSet="$UpdateSet$" UpdateName="$UpdateName$" table _time, UpdateSize | eval epoch = strptime("06/01/2012:12:00:00", "%m/%d/%Y:%H:%M:%S") | where _time > epoch < /param > < module name="TimeRangePicker" > < param name="label" > Time range: < /param > < param name="selected" > Last 7 days < /param > < param name="searchWhenChanged" > false < /param >
Well, one advanced but unobtrusive way to do this, at least given that you're already in a custom view, is to use the head command with a predicate.
The head command can be given a condition basically, and when it hits that condition it shuts down the streaming portion of the search.
<other search terms> | eval nevermore = strptime("06/01/2012:12:00:00", "%m/%d/%Y:%H:%M:%S") | head (_time>nevermore) | fields - nevermore
However if the search terms appearing before have any non-streaming commands, you might be careful. I think that head will shut down the streaming portion even if it's itself inserted into the search pipeline after the end of the streaming portion, but again you might keep an eye on that.