Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Assigning a field to be used by the timepicker

shipitsquirrel
Explorer
‎02-20-2024 12:26 PM

Hello all, 

While developing my Splunk Add-On, I've run into a blocker concerning the timepicker on search. Currently, changing the time from the default "Last 24 Hours" to any other value has no effect and the search always returns all of the elements from my KV store. I've read through about a dozen forum threads but haven't found a clear answer to this problem. 

Any help with what settings/files need to be configured would be appreciated!

I am developing in Splunk Enterprise 9.1.3

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-20-2024 03:04 PM

What's your search that's returning the data - is this in a dashboard. If the data is coming from a KV store than you will have to do the time bounding yourself as Splunk will not limit your result set based on time as there is no similar time concept in the KV store, you have to do it yourself.

 

0 Karma
Reply

shipitsquirrel
Explorer
‎02-21-2024 11:10 AM

I'm trying to make it so any search on my KV store will be filterable by the timepicker. So if I were to search

|inputlookup {collection_name}

I would get back all the entries from my collection based on the selected time range. 

Are you saying that since it's a KV store I'll need to include time constraints in each query to make this work? 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-21-2024 01:54 PM

Yes, because KV store is not a time-series DB like the Splunk index effectively is.

A KV store has no fixed _time field like there is for every event in a Splunk index - you define the fields in your collection, so you need to control what gets filtered.

If you have a field called KV_entry_time, which is stored as an epoch, then you will need to convert your time picker selection to epoch start/end values and then 

|inputlookup {collection_name} where KV_entry_time >= $time_picker_start$ AND KV_entry_time < $time_picker_end$

 There is a trick to converting the time picker input to a start/end epoch value - you need a background search in the XML like this

<search>
  <query>
| makeresults
| addinfo
  </query>
  <done>
    <set token="time_picker_start">$result.info_min_time$</set>
    <set token="time_picker_end">$result.info_max_time$</set>
  </done>
  <earliest>$time_picker.earliest$</earliest>
  <latest>$time_picker.latest$</latest>
</search>

which will use addinfo to get the time picker's epoch values from info_*_time and then the token setting will convert those to the time_picker_* tokens you can use in the collection search. 

Hope this helps

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...