Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can we specify the timerange on a pivot based search when using the REST API?

richardAtOmni
Path Finder
‎05-30-2018 03:11 PM

Hello,

We have built a data model, and have defined a pivot search against it. It is working great through the search API, and we have built a dashboard using it as well. When in the search interface or the dashboard, we have a time-range picker that can limit the time range. This works as expected.

Now, we need to run the same query through the REST API. For a regular query, we would use earliest or latest to specify the time range without the timerange picker control. But these don't work with the pivot search command. We need to know how to specify the time range using the query language only, so that it applies to the pivot command.

Can anyone help?

Thanks!

Richard

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎05-30-2018 05:43 PM

Through the REST API, there are earliest_time and latest_time parameters that the POST to the /search/jobs endpoint takes, these are the equivalent to your time picker selected values (and you could use these instead of embedding earliest and latest in your query string)

http://docs.splunk.com/Documentation/Splunk/7.1.1/RESTREF/RESTsearch#search.2Fjobs

For example using a quick dummy splunk and the makeresults command which also does not take earliest or latest, and the addinfo command which can add information like earliest and latest time to my search results....

$ curl -k -u admin:changeme https://localhost:8089/services/search/jobs -d search="makeresults | addinfo | convert ctime(*time*)" -d earliest_time=-h@h -d latest_time=@h -d exec_mode=oneshot
<?xml version='1.0' encoding='UTF-8'?>

<results preview='0'>
<meta>
<fieldOrder>
<field>_time</field>
<field>info_max_time</field>
<field>info_min_time</field>
<field>info_search_time</field>
<field>info_sid</field>
</fieldOrder>
</meta>
    <result offset='0'>
        <field k='_time'>
            <value><text>2018-05-30T19:40:14.000-05:00</text></value>
        </field>
        <field k='info_max_time'>
            <value><text>05/30/2018 19:00:00.000</text></value>
        </field>
        <field k='info_min_time'>
            <value><text>05/30/2018 18:00:00.000</text></value>
        </field>
        <field k='info_search_time'>
            <value><text>05/30/2018 19:40:14.343</text></value>
        </field>
        <field k='info_sid'>
            <value><text>1527727214.99</text></value>
        </field>
    </result>
</results>

View solution in original post

Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎05-30-2018 05:43 PM

Through the REST API, there are earliest_time and latest_time parameters that the POST to the /search/jobs endpoint takes, these are the equivalent to your time picker selected values (and you could use these instead of embedding earliest and latest in your query string)

http://docs.splunk.com/Documentation/Splunk/7.1.1/RESTREF/RESTsearch#search.2Fjobs

For example using a quick dummy splunk and the makeresults command which also does not take earliest or latest, and the addinfo command which can add information like earliest and latest time to my search results....

$ curl -k -u admin:changeme https://localhost:8089/services/search/jobs -d search="makeresults | addinfo | convert ctime(*time*)" -d earliest_time=-h@h -d latest_time=@h -d exec_mode=oneshot
<?xml version='1.0' encoding='UTF-8'?>

<results preview='0'>
<meta>
<fieldOrder>
<field>_time</field>
<field>info_max_time</field>
<field>info_min_time</field>
<field>info_search_time</field>
<field>info_sid</field>
</fieldOrder>
</meta>
    <result offset='0'>
        <field k='_time'>
            <value><text>2018-05-30T19:40:14.000-05:00</text></value>
        </field>
        <field k='info_max_time'>
            <value><text>05/30/2018 19:00:00.000</text></value>
        </field>
        <field k='info_min_time'>
            <value><text>05/30/2018 18:00:00.000</text></value>
        </field>
        <field k='info_search_time'>
            <value><text>05/30/2018 19:40:14.343</text></value>
        </field>
        <field k='info_sid'>
            <value><text>1527727214.99</text></value>
        </field>
    </result>
</results>
Reply
Solved! Jump to solution

richardAtOmni
Path Finder
‎05-31-2018 03:03 PM

Thanks! Appreciate the response. Our team is in the process of verifying that this will work for us. I'll update once I hear back.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...