Monitoring Splunk

How to restrict time range picker to specific period for search?

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hello Team,

Here, I want some way to restrict events to search more than a specific period.
eg. user can only select a time range for 3 months. whether it would be the last 3 months OR 1st Oct to 31-Dec OR any time range with or under 3months.

If the time range is more then 3 months it should prompt message and not allowed to execute any search.

So please share any ideas and any hint to do that.

Thanks in advanced.

Tags (1)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hello All,

I've found a way to put validation on time range picker. It is something like tricky but it's working. I've executed a search for validating time range. This search will return flag and will help to set a dummy tokens for executing a panel's search. I have designed a sample dashboard for same.

<form>
  <label>Time Range Validation Example</label>
  <search>
    <query>| makeresults | addinfo | eval diff=info_max_time-info_min_time, max=(2*86400) | eval allowed=if(max-diff <0,0,1)  | table allowed</query>
    <earliest>$timerange_tkn.earliest$</earliest>
    <latest>$timerange_tkn.latest$</latest>
    <done>
      <condition match="$result.allowed$ > 0">
        <set token="timerangetoken">  </set>
        <unset token="timerange_tknErr"></unset>
      </condition>
      <condition>
        <set token="timerange_tknErr">  </set>
        <unset token="timerangetoken"></unset>
      </condition>
    </done>
  </search>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="timerange_tkn" searchWhenChanged="true" id="timepicked_id">
      <label>Time Range</label>
      <default>
        <earliest>-1d@d</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row depends="$timerange_tknErr$">
    <panel>
      <html>
        <div id="timerange_tknErrMsg_id"/>
        <div class="alert alert-error">
          <i class="icon-alert"/>
          <span class="errorBackground"> Invalid time range.</span>
        </div>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <title>Count by sourcetype</title>
      <table>
        <search>
          <query>$timerangetoken$ index=_internal | head 1000 | stats count by sourcetype
            </query>
          <earliest>$timerange_tkn.earliest$</earliest>
          <latest>$timerange_tkn.latest$</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Happy Splunking

Kamlesh

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hello All,

I've found a way to put validation on time range picker. It is something like tricky but it's working. I've executed a search for validating time range. This search will return flag and will help to set a dummy tokens for executing a panel's search. I have designed a sample dashboard for same.

<form>
  <label>Time Range Validation Example</label>
  <search>
    <query>| makeresults | addinfo | eval diff=info_max_time-info_min_time, max=(2*86400) | eval allowed=if(max-diff <0,0,1)  | table allowed</query>
    <earliest>$timerange_tkn.earliest$</earliest>
    <latest>$timerange_tkn.latest$</latest>
    <done>
      <condition match="$result.allowed$ > 0">
        <set token="timerangetoken">  </set>
        <unset token="timerange_tknErr"></unset>
      </condition>
      <condition>
        <set token="timerange_tknErr">  </set>
        <unset token="timerangetoken"></unset>
      </condition>
    </done>
  </search>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="timerange_tkn" searchWhenChanged="true" id="timepicked_id">
      <label>Time Range</label>
      <default>
        <earliest>-1d@d</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row depends="$timerange_tknErr$">
    <panel>
      <html>
        <div id="timerange_tknErrMsg_id"/>
        <div class="alert alert-error">
          <i class="icon-alert"/>
          <span class="errorBackground"> Invalid time range.</span>
        </div>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <title>Count by sourcetype</title>
      <table>
        <search>
          <query>$timerangetoken$ index=_internal | head 1000 | stats count by sourcetype
            </query>
          <earliest>$timerange_tkn.earliest$</earliest>
          <latest>$timerange_tkn.latest$</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Happy Splunking

Kamlesh

0 Karma

inventsekar
Ultra Champion

i think this can be done only thru dashboard:
https://answers.splunk.com/answers/222650/limit-choices-in-default-timepicker.html

also, check this:
https://simonduff.net/splunk_restrict_time_range_picker/
from the above link - The downsides are that this is only works for custom dashboards and forms, and that these presets are just masked – a crafty user could disable this CSS and select these hidden items. However, Splunk provides sufficient restrictions as part of its RBAC model to limit users from doing long running or all time searches, if required.

You can grab an example app that demonstrates this configuration from https://github.com/sduff/restrict_timepicker.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@inventsekar

Thanks for reply. Basically, I'm looking for something like validation. I have already restricted using css but I want to keep open time range ( from date/time - to date/time). So the period between from and to date/time range should not be more then 3 months. So is that any JS or something to implement it?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...