Splunk Search

How to add time from drop down in GUI to search string automatically

brantramey
Explorer

In order to establish the search timeframe for Splunk there are 3 options that I know of.

  1. Use the dropdown to the right of the Search box to choose pre-determined or custom timeframes.
  2. After searching use the hit graph to select a new timeframe and zoom-in or zoom-out the timeframe.
  3. Use the search parameters "earliest", "latest", or "now" for the search timeframe.

Options 1 and 2 are the most user-friendly way to select the timeframe, but option 3 is the best way to share a timeframe when passing splunk queries to others. The Problem is that most users will select their timeframe with the GUI options (1 and 2) but then they need to go through some effort to insert the timeframe into their query if they want to share it.

Improvement Suggestion:
We need to add a quick link, button, or other trigger that will take the current timeframe of the search and enter it into the search string. For example I might use the time dropdown to select the last 24 hours, which might be fromt he current time of 7/12/2012 11:00:00 to 7/11/2012 11:00:00. Then I want to share this search with a friend so I click the handy time-insert link and the text earliest="7/11/2012:11:00:00" to latest="7/12/2012 11:00:00" is inserted into my search string permanently framing my search timeframe.

Splunk already does this for search results. Click something in the search results and it is added and researched immediately. Splunk should be able to do the same for the timeframe.

Benefits:
This will definitely save Splunk users a significant amount of time. Even if you have a saved string with "earliest" and "latest" times already saved off you still have to fumble around for about 30 seconds or more finding it, copy/pasting, and editing your time for a new search. Otherwise people are sending queries without timeframe included and there is multiple communication minutes lost going back and forth to get the correct timeframe across to the users.

Estimated Hours/Month Savings per Individual:
Hard to estimate, but several minutes per users of Splunk must be high.

Tags (3)
0 Karma
1 Solution

sowings
Splunk Employee
Splunk Employee

I think that this is an interesting enhancement idea.

For the short term, know that you can "Save & Share Results" from the Save menu / button of the search view. This actually persists the search artifacts (results) of your search, and you can publish the link to your colleagues. Because it's just referencing the contents of a search which has already run, the time frame for the given report is "frozen", but the search bar's contents is the content of the search string. This allows your colleagues to then re-run the search on their own, but over a different time frame if desired, giving you the best of both worlds. They can use your initial search (cheaply--it's already been run!) as a launching point to continue their own search.

View solution in original post

0 Karma

sowings
Splunk Employee
Splunk Employee

I think that this is an interesting enhancement idea.

For the short term, know that you can "Save & Share Results" from the Save menu / button of the search view. This actually persists the search artifacts (results) of your search, and you can publish the link to your colleagues. Because it's just referencing the contents of a search which has already run, the time frame for the given report is "frozen", but the search bar's contents is the content of the search string. This allows your colleagues to then re-run the search on their own, but over a different time frame if desired, giving you the best of both worlds. They can use your initial search (cheaply--it's already been run!) as a launching point to continue their own search.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...