Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Using event "_time" in a dropdown.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunkbase,
How would I go about using the event "_time" to populate values in the dropdown on my view. I wish to use this to select various versions of a file for comparison.
I know this quite an ambiguous, but any assistance will be useful, as I can't seem to set this up correctly.
Thanks in advance.
Regards,
MHibbin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would argue that sideviews isn't neccessary in this situation. Something even in simple xml like this would do the trick;
<form>
<label>_time dropdown</label>
<searchTemplate>earliest=-15m@m "$_time$"</searchTemplate>
<fieldset>
<input type="dropdown" token="_time">
<label>Select _time</label>
<choice value="*">Any</choice>
<populatingSearch fieldForValue="_time" fieldForLabel="_time">index=_internal earliest=-15m@m | top _time</populatingSearch>
</input>
</fieldset>
<row>
<event>
<title>Search results</title>
<option name="count">10</option>
</event>
</row>
</form>
You may have to do some trickery to get the time to work when you select one to search on, it could be interpreting the _time in the same way that bug I found with _time drilldown is. Anyway you could modify it to be a time range in the main search. Hopefully this helps 🙂
P.S. Feel free to come back if you ever need more than a hint 😛
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would argue that sideviews isn't neccessary in this situation. Something even in simple xml like this would do the trick;
<form>
<label>_time dropdown</label>
<searchTemplate>earliest=-15m@m "$_time$"</searchTemplate>
<fieldset>
<input type="dropdown" token="_time">
<label>Select _time</label>
<choice value="*">Any</choice>
<populatingSearch fieldForValue="_time" fieldForLabel="_time">index=_internal earliest=-15m@m | top _time</populatingSearch>
</input>
</fieldset>
<row>
<event>
<title>Search results</title>
<option name="count">10</option>
</event>
</row>
</form>
You may have to do some trickery to get the time to work when you select one to search on, it could be interpreting the _time in the same way that bug I found with _time drilldown is. Anyway you could modify it to be a time range in the main search. Hopefully this helps 🙂
P.S. Feel free to come back if you ever need more than a hint 😛
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Draineh, that's what I needed!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd personally take a look at side view utils and use a search to populate your pulldown. Download the side view app and check out the pulldown section. If you wish to use the core search functionality, you'll need to use the "search selectlistener" and "converttointention" modules. You'll find that side view utils makes this much, much, easier.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for the suggestion/response bbingham, however I would rather stay away from Sideview for this one.
Thanks again.
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
