Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can we specify the timerange on a pivot based search when using the REST API?

richardAtOmni
Path Finder
‎05-30-2018 03:11 PM

Hello,

We have built a data model, and have defined a pivot search against it. It is working great through the search API, and we have built a dashboard using it as well. When in the search interface or the dashboard, we have a time-range picker that can limit the time range. This works as expected.

Now, we need to run the same query through the REST API. For a regular query, we would use earliest or latest to specify the time range without the timerange picker control. But these don't work with the pivot search command. We need to know how to specify the time range using the query language only, so that it applies to the pivot command.

Can anyone help?

Thanks!

Richard

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎05-30-2018 05:43 PM

Through the REST API, there are earliest_time and latest_time parameters that the POST to the /search/jobs endpoint takes, these are the equivalent to your time picker selected values (and you could use these instead of embedding earliest and latest in your query string)

http://docs.splunk.com/Documentation/Splunk/7.1.1/RESTREF/RESTsearch#search.2Fjobs

For example using a quick dummy splunk and the makeresults command which also does not take earliest or latest, and the addinfo command which can add information like earliest and latest time to my search results....

$ curl -k -u admin:changeme https://localhost:8089/services/search/jobs -d search="makeresults | addinfo | convert ctime(*time*)" -d earliest_time=-h@h -d latest_time=@h -d exec_mode=oneshot
<?xml version='1.0' encoding='UTF-8'?>

<results preview='0'>
<meta>
<fieldOrder>
<field>_time</field>
<field>info_max_time</field>
<field>info_min_time</field>
<field>info_search_time</field>
<field>info_sid</field>
</fieldOrder>
</meta>
    <result offset='0'>
        <field k='_time'>
            <value><text>2018-05-30T19:40:14.000-05:00</text></value>
        </field>
        <field k='info_max_time'>
            <value><text>05/30/2018 19:00:00.000</text></value>
        </field>
        <field k='info_min_time'>
            <value><text>05/30/2018 18:00:00.000</text></value>
        </field>
        <field k='info_search_time'>
            <value><text>05/30/2018 19:40:14.343</text></value>
        </field>
        <field k='info_sid'>
            <value><text>1527727214.99</text></value>
        </field>
    </result>
</results>

View solution in original post

Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎05-30-2018 05:43 PM

Through the REST API, there are earliest_time and latest_time parameters that the POST to the /search/jobs endpoint takes, these are the equivalent to your time picker selected values (and you could use these instead of embedding earliest and latest in your query string)

http://docs.splunk.com/Documentation/Splunk/7.1.1/RESTREF/RESTsearch#search.2Fjobs

For example using a quick dummy splunk and the makeresults command which also does not take earliest or latest, and the addinfo command which can add information like earliest and latest time to my search results....

$ curl -k -u admin:changeme https://localhost:8089/services/search/jobs -d search="makeresults | addinfo | convert ctime(*time*)" -d earliest_time=-h@h -d latest_time=@h -d exec_mode=oneshot
<?xml version='1.0' encoding='UTF-8'?>

<results preview='0'>
<meta>
<fieldOrder>
<field>_time</field>
<field>info_max_time</field>
<field>info_min_time</field>
<field>info_search_time</field>
<field>info_sid</field>
</fieldOrder>
</meta>
    <result offset='0'>
        <field k='_time'>
            <value><text>2018-05-30T19:40:14.000-05:00</text></value>
        </field>
        <field k='info_max_time'>
            <value><text>05/30/2018 19:00:00.000</text></value>
        </field>
        <field k='info_min_time'>
            <value><text>05/30/2018 18:00:00.000</text></value>
        </field>
        <field k='info_search_time'>
            <value><text>05/30/2018 19:40:14.343</text></value>
        </field>
        <field k='info_sid'>
            <value><text>1527727214.99</text></value>
        </field>
    </result>
</results>
Reply
Solved! Jump to solution

richardAtOmni
Path Finder
‎05-31-2018 03:03 PM

Thanks! Appreciate the response. Our team is in the process of verifying that this will work for us. I'll update once I hear back.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...