Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How can we specify the timerange on a pivot based search when using the REST API?

richardAtOmni
Path Finder
‎05-30-2018 03:11 PM

Hello,

We have built a data model, and have defined a pivot search against it. It is working great through the search API, and we have built a dashboard using it as well. When in the search interface or the dashboard, we have a time-range picker that can limit the time range. This works as expected.

Now, we need to run the same query through the REST API. For a regular query, we would use earliest or latest to specify the time range without the timerange picker control. But these don't work with the pivot search command. We need to know how to specify the time range using the query language only, so that it applies to the pivot command.

Can anyone help?

Thanks!

Richard

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎05-30-2018 05:43 PM

Through the REST API, there are earliest_time and latest_time parameters that the POST to the /search/jobs endpoint takes, these are the equivalent to your time picker selected values (and you could use these instead of embedding earliest and latest in your query string)

http://docs.splunk.com/Documentation/Splunk/7.1.1/RESTREF/RESTsearch#search.2Fjobs

For example using a quick dummy splunk and the makeresults command which also does not take earliest or latest, and the addinfo command which can add information like earliest and latest time to my search results....

$ curl -k -u admin:changeme https://localhost:8089/services/search/jobs -d search="makeresults | addinfo | convert ctime(*time*)" -d earliest_time=-h@h -d latest_time=@h -d exec_mode=oneshot
<?xml version='1.0' encoding='UTF-8'?>

<results preview='0'>
<meta>
<fieldOrder>
<field>_time</field>
<field>info_max_time</field>
<field>info_min_time</field>
<field>info_search_time</field>
<field>info_sid</field>
</fieldOrder>
</meta>
    <result offset='0'>
        <field k='_time'>
            <value><text>2018-05-30T19:40:14.000-05:00</text></value>
        </field>
        <field k='info_max_time'>
            <value><text>05/30/2018 19:00:00.000</text></value>
        </field>
        <field k='info_min_time'>
            <value><text>05/30/2018 18:00:00.000</text></value>
        </field>
        <field k='info_search_time'>
            <value><text>05/30/2018 19:40:14.343</text></value>
        </field>
        <field k='info_sid'>
            <value><text>1527727214.99</text></value>
        </field>
    </result>
</results>

View solution in original post

Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎05-30-2018 05:43 PM

Through the REST API, there are earliest_time and latest_time parameters that the POST to the /search/jobs endpoint takes, these are the equivalent to your time picker selected values (and you could use these instead of embedding earliest and latest in your query string)

http://docs.splunk.com/Documentation/Splunk/7.1.1/RESTREF/RESTsearch#search.2Fjobs

For example using a quick dummy splunk and the makeresults command which also does not take earliest or latest, and the addinfo command which can add information like earliest and latest time to my search results....

$ curl -k -u admin:changeme https://localhost:8089/services/search/jobs -d search="makeresults | addinfo | convert ctime(*time*)" -d earliest_time=-h@h -d latest_time=@h -d exec_mode=oneshot
<?xml version='1.0' encoding='UTF-8'?>

<results preview='0'>
<meta>
<fieldOrder>
<field>_time</field>
<field>info_max_time</field>
<field>info_min_time</field>
<field>info_search_time</field>
<field>info_sid</field>
</fieldOrder>
</meta>
    <result offset='0'>
        <field k='_time'>
            <value><text>2018-05-30T19:40:14.000-05:00</text></value>
        </field>
        <field k='info_max_time'>
            <value><text>05/30/2018 19:00:00.000</text></value>
        </field>
        <field k='info_min_time'>
            <value><text>05/30/2018 18:00:00.000</text></value>
        </field>
        <field k='info_search_time'>
            <value><text>05/30/2018 19:40:14.343</text></value>
        </field>
        <field k='info_sid'>
            <value><text>1527727214.99</text></value>
        </field>
    </result>
</results>
Reply
Solved! Jump to solution

richardAtOmni
Path Finder
‎05-31-2018 03:03 PM

Thanks! Appreciate the response. Our team is in the process of verifying that this will work for us. I'll update once I hear back.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...