How can i get the earliest and latest time as epoch in a custom command written in python? Either its not possible, i am dense or the docu is not very detailed.
update:
What i need to set it two datetime fields in the format 2015-03-16-17-13-00 and i would like to get the timerange from the timerange picker. Alternative can be a calculated value and provide a form for easy usage. I use these parameters when calling a webservice.
If you are using GeneratingCommand in python sdk, here is the answer, tested both at Search command and in a dashboard:
def generate(self):
....
search_results = self.search_results_info
logger.debug('search time: %s %s' % (str(search_results.search_et), str(search_results.search_lt)) )
....
Result:
search time: 1470837600.0 1471443921.0
This works for me. I plan to do more fine tuned filter.
If you are using GeneratingCommand in python sdk, here is the answer, tested both at Search command and in a dashboard:
def generate(self):
....
search_results = self.search_results_info
logger.debug('search time: %s %s' % (str(search_results.search_et), str(search_results.search_lt)) )
....
Result:
search time: 1470837600.0 1471443921.0
This works well for me until I selected the all time option, then an error telling me it can't read the property. Any ideas how to work around this issue?
All time has no boundaries, so you won't have an earliest or latest property.
Right, but how do I prevent the search from crashing in this case, I tried to write the conditional search_results.search_et == None, but the search crashed before the comparison could occur.
I also tried search_results.get('search_et') and that crashed as well.
so the "workaround" is kind of error checking (safe guard) by checking if they exist or not. In case of All time, you do nothing with it any way.
Thank you for your good answer!!!!
Works nicely. I just might polish this half-assed PRTG custom command finally 🙂
I know this is an old thread. But here is my solution:
create an regular time picker input field, and use earliest and latest as command parameter. The python can get the them as normal parameters.
<input type="time" token="my_time" searchWhenChanged="false">
<label>Time Range</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
....
<search>
<query>|mycommand myparameters earliest=$my_time.earliest$ latest=$my_time.latest$
</query>
</search>
It does not seem to have a built-in validator for time range. this brings a new question: is there a way to get the parsed time values? Hate to redo it as Splunk has already done it.
looks like a fairly nice workaround, i will try it 🙂 but would really like to have it directly in one of the tuples
What exactly do you mean by "directly in one of the tuples"? I may have misunderstood originally.
Hi SloshBurch, my question was regarding writing a custom command and take the search earliest and searchlatest for passing the timerange to filter a request to a api.
Ok, so you were not asking in response to what I posted. Just wanted to make sure.
please ignore this answer. See the new one above.
I'm surprised the $my_time$ calls don't work. You're on a recent release of Splunk, right?
The usual behavior is to refer to those tokens within similar <earliest>
and <latest>
tags as part of the search definition. You should be able to set that up in the UI without reverting to the source editor.
If that makes no sense, I can be more specific.
this is for custom command, not regular Splunk search. the time range is used as parameters for a custom command that is consumed by python code on the Splunk server, not within dashboard page.
I fear this may not be possible, as I detailed in this answer: http://answers.splunk.com/answers/116430/earliest-and-latest-information-in-custom-python-search-com...
Until someone proves me wrong I'd go with the addinfo
workaround.
You can always submit a feature request through the support portal at https://login.splunk.com/page/sso_redirect?type=portal
The fields won't end up in the settings tuple, they will end up in the results tuple.
ok, i see what you mean. The object results is of type list where the value is visible when i print it so i need to transform it. I hope i find a nice example :-). Can splunk please seriously consider passing the timerange pretty please? 🙂