- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to disable options greater than 7 days in ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to disable options greater than 7 days in the timepicker input on a particular dashboard
Hi.
I have an interactive dashboard with a lot of data. It has multiple panels with performance data for a large number of hosts. I have been able to get it to run by a combination of things:
- the individual panels select exceptions
- the users can select Top 10, Top 20, Top 50 hosts
- they can select a range of up to 7 days
Anything more than 7 days will return truncated data errors. Is there a way to disable all other timeframe options from the timepicker selection choices?
I'd really appreciate any insights you might have.
Thanks.
Barbara
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The easiest thing to do is to create your own very limited timepicker selector that has the few options that you allow like this:
label="Today", value="earliest=@d latest=now"
label="From yesterday", value="earliest=-1d@d latest=now"
label="From 2 days ago", value="earliest=-2d@d latest=now"
label="From 3 days ago", value="earliest=-3d@d latest=now"
label="From 4 days ago", value="earliest=-4d@d latest=now"
label="From 5 days ago", value="earliest=-5d@d latest=now"
label="From 6 days ago", value="earliest=-6d@d latest=now"
label="From 7 days ago", value="earliest=-7d@d latest=now"
Then use Your SPL here $earlylate_token$ ... as your search string
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I forgot to mention that I don't have access to the config file or the file structure. Our Splunk Admin team is very strict.
And I only need to control the timeframe for this specific dashboard because there is too much data. I don't want to restrict the timeframes for all dashboards.
If I have to, I will create a custom time input, but I was hoping to simply disable the larger timeframes in the existing input.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @bbknowles,
Totally possible, you can do this by removing the entries you dont need from the times.conf config file, but this removes the options for all users : https://docs.splunk.com/Documentation/Splunk/7.2.6/Admin/Timesconf
If you want to apply for a fixed dashboard you can either use some JS magic as in the following link https://answers.splunk.com/answers/222650/limit-choices-in-default-timepicker.html or go for the easy way and just create your own drop down including only the time options you require (this is easier to manage and maintain).
PS: If you want to ensure that your users dont tweak the searches and get more than 7 days make sure you use their role configuration to limit the time, this can be done using the srchTimeWin = <number> setting in :
https://docs.splunk.com/Documentation/Splunk/7.2.6/Admin/authorizeconf
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The user can always run searches with earliest=-xx , so he/she can override if it need be if they have got a search option.
Said that,
See the solutions in below post to customize time range picker
https://answers.splunk.com/answers/222650/limit-choices-in-default-timepicker.html
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
