Splunk Dev

How can we specify the timerange on a pivot based search when using the REST API?

richardAtOmni
Path Finder

Hello,

We have built a data model, and have defined a pivot search against it. It is working great through the search API, and we have built a dashboard using it as well. When in the search interface or the dashboard, we have a time-range picker that can limit the time range. This works as expected.

Now, we need to run the same query through the REST API. For a regular query, we would use earliest or latest to specify the time range without the timerange picker control. But these don't work with the pivot search command. We need to know how to specify the time range using the query language only, so that it applies to the pivot command.

Can anyone help?

Thanks!

Richard

Tags (1)
0 Karma
1 Solution

acharlieh
Influencer

Through the REST API, there are earliest_time and latest_time parameters that the POST to the /search/jobs endpoint takes, these are the equivalent to your time picker selected values (and you could use these instead of embedding earliest and latest in your query string)

http://docs.splunk.com/Documentation/Splunk/7.1.1/RESTREF/RESTsearch#search.2Fjobs

For example using a quick dummy splunk and the makeresults command which also does not take earliest or latest, and the addinfo command which can add information like earliest and latest time to my search results....

$ curl -k -u admin:changeme https://localhost:8089/services/search/jobs -d search="makeresults | addinfo | convert ctime(*time*)" -d earliest_time=-h@h -d latest_time=@h -d exec_mode=oneshot
<?xml version='1.0' encoding='UTF-8'?>

<results preview='0'>
<meta>
<fieldOrder>
<field>_time</field>
<field>info_max_time</field>
<field>info_min_time</field>
<field>info_search_time</field>
<field>info_sid</field>
</fieldOrder>
</meta>
    <result offset='0'>
        <field k='_time'>
            <value><text>2018-05-30T19:40:14.000-05:00</text></value>
        </field>
        <field k='info_max_time'>
            <value><text>05/30/2018 19:00:00.000</text></value>
        </field>
        <field k='info_min_time'>
            <value><text>05/30/2018 18:00:00.000</text></value>
        </field>
        <field k='info_search_time'>
            <value><text>05/30/2018 19:40:14.343</text></value>
        </field>
        <field k='info_sid'>
            <value><text>1527727214.99</text></value>
        </field>
    </result>
</results>

View solution in original post

acharlieh
Influencer

Through the REST API, there are earliest_time and latest_time parameters that the POST to the /search/jobs endpoint takes, these are the equivalent to your time picker selected values (and you could use these instead of embedding earliest and latest in your query string)

http://docs.splunk.com/Documentation/Splunk/7.1.1/RESTREF/RESTsearch#search.2Fjobs

For example using a quick dummy splunk and the makeresults command which also does not take earliest or latest, and the addinfo command which can add information like earliest and latest time to my search results....

$ curl -k -u admin:changeme https://localhost:8089/services/search/jobs -d search="makeresults | addinfo | convert ctime(*time*)" -d earliest_time=-h@h -d latest_time=@h -d exec_mode=oneshot
<?xml version='1.0' encoding='UTF-8'?>

<results preview='0'>
<meta>
<fieldOrder>
<field>_time</field>
<field>info_max_time</field>
<field>info_min_time</field>
<field>info_search_time</field>
<field>info_sid</field>
</fieldOrder>
</meta>
    <result offset='0'>
        <field k='_time'>
            <value><text>2018-05-30T19:40:14.000-05:00</text></value>
        </field>
        <field k='info_max_time'>
            <value><text>05/30/2018 19:00:00.000</text></value>
        </field>
        <field k='info_min_time'>
            <value><text>05/30/2018 18:00:00.000</text></value>
        </field>
        <field k='info_search_time'>
            <value><text>05/30/2018 19:40:14.343</text></value>
        </field>
        <field k='info_sid'>
            <value><text>1527727214.99</text></value>
        </field>
    </result>
</results>

richardAtOmni
Path Finder

Thanks! Appreciate the response. Our team is in the process of verifying that this will work for us. I'll update once I hear back.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...