Solved: Mutiple timepicker for same search

ma_anand1984 · ‎05-29-2013

I'm having a query that has a sub-search. I want to pass one time-period to outer query and another to sub-search.

I would like to do that using TWO Time Pickers.

How can i make it work. I can i uniquely identify a time picker?

Anand

sideview · ‎05-30-2013

The ValueSetter trick should work. In the below don't think of the $search.timeRange.earliest$ and $search.timeRange.latest$ keys as the actual keys that TimeRangePicker outputs, or you'll make some bad assumptions. Instead think of them as a convenient second way that Sideview Utils gives you to get the timerange arguments. Basically the two value setters use these keys to stash away the first timerange before it gets clobbered by the second timerange.

<module name="TimeRangePicker">
  <param name="allowSoftSubmit">True</param>
  <param name="default">Last 7 days</param>

  <module name="ValueSetter">
    <param name="name">stashedEarliest</param>
    <param name="value">$search.timeRange.earliest$</param>

    <module name="ValueSetter">
      <param name="name">stashedLatest</param>
      <param name="value">$search.timeRange.latest$</param>

      <module name="TimeRangePicker">
        <param name="allowSoftSubmit">True</param>
        <param name="default">Last 24 hours</param>

I would make sure you're on latest Sideview Utils though, because in the 100+ bugs and fixes between 1.3.X and 2.X I'm pretty sure there were some problems found and fixed around these timerange keys.

View solution in original post

sideview · ‎05-30-2013

The ValueSetter trick should work. In the below don't think of the $search.timeRange.earliest$ and $search.timeRange.latest$ keys as the actual keys that TimeRangePicker outputs, or you'll make some bad assumptions. Instead think of them as a convenient second way that Sideview Utils gives you to get the timerange arguments. Basically the two value setters use these keys to stash away the first timerange before it gets clobbered by the second timerange.

<module name="TimeRangePicker">
  <param name="allowSoftSubmit">True</param>
  <param name="default">Last 7 days</param>

  <module name="ValueSetter">
    <param name="name">stashedEarliest</param>
    <param name="value">$search.timeRange.earliest$</param>

    <module name="ValueSetter">
      <param name="name">stashedLatest</param>
      <param name="value">$search.timeRange.latest$</param>

      <module name="TimeRangePicker">
        <param name="allowSoftSubmit">True</param>
        <param name="default">Last 24 hours</param>

I would make sure you're on latest Sideview Utils though, because in the 100+ bugs and fixes between 1.3.X and 2.X I'm pretty sure there were some problems found and fixed around these timerange keys.

sideview · ‎05-31-2013

I'm afraid you do need two. I've considered an alternate way of using ValueSetter, where you specify <param name="arg.someName">someValue</param>. This would only be an alternate way, not a replacement for the straight up name/value params. However this is still only at the tinkering stage and other priorities have consistently risen higher in the queue.

martin_mueller · ‎05-31-2013

Two param tags with the same name ("name", "value") would then overwrite each other.

ma_anand1984 · ‎05-30-2013

Thank you, do we really need to use two Valusetter module, i thought we can use two name value pairs in same module

ma_anand1984 · ‎05-30-2013

thank you. I thought of the same. I'm currently using a custom made pulldown

martin_mueller · ‎05-30-2013

The only way I see would be to rewrite the keys from the first TimeRangePicker with a ValueSetter to avoid being overwritten by the second TimeRangePicker - I have no idea whether this will work or not though.

Mutiple timepicker for same search

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?