Dashboards & Visualizations

how to change the custom time range dynamically based on the epoch time in field

Path Finder

I have events like this

SiteEng,siteeng,1271646762,1273602865,99.98,0.02

Here Start field has the value 1271646762 and End field has the value 1273602865

How do I make the custom field automatically change based on the earliest epoch time on Start field and latest epoch time on End field ?

These events are coming from a CSV file which gets updated by cronjob.

So when I search for the report with index="hobbit" I like the timerange to automatically change based on the only CSV file it indexes.

I like the timerange to show something like this

http://picpaste.com/splunk_6.png

Tags (1)
0 Karma

SplunkTrust
SplunkTrust

Are you asking for a way users can interact with those events that would be like: 'search for events between this start and endtime'?

If so then you can use a workflow action.
http://www.splunk.com/base/Documentation/4.1/Knowledge/CreateworkflowactionsinSplunkWeb

In brief, you can configure a workflow action, such that when the 'Start' field and the 'End' field are both present in any event, the user is given an option in the event menu that can be a URL (ie to flashtimeline), and in that URL you can use the Start and End field values to preset the earliest= and latest= arguments in the flashtimeline URL. Setting those arguments will correctly prepopulate the TimeRangePicker.

And the URI part of your workflow action would look like this:

http:///en-US/app/search/flashtimeline?q=search%20sourcetype%3Dfoo&earliest=$Start$&latest=$End$

0 Karma

Super Champion

I really don't understand your question....

Are you trying to use the CSV events to determine the timerange of search in splunk? That seems like an odd thing to do, but it's somewhat possible using the map search command.

You could try a search like:

index=hobbit | map search="search index=hobbit starttimeu::$Start$ endtimeu::$End$"

This isn't going to reset the timerange picker in the upper right hand of the screen, if that's what you are trying to do.

If you are simply trying to see Start and End in a human readable format, you can do that quite easily with:

index=hobbit | convert timeformat="%Y%m%d %H:%M:%S" ctime(Start), ctime(End)

If you clarify your question, I or someone else may be able to give you a better suggestion.

0 Karma