Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Set custom time as default for time picker

dsiob
Communicator
‎06-05-2017 06:13 AM

I need to set my custom time as default time, in time picker. So that in bar chart it will only show the data for that time. I have to show data of current week's Friday night to Saturday morning (say fri 8PM - sat 5AM ) by default, when I open the dashboard.
I tried this:
As I put

@w5+20h
@w6+5h

But It shows previous week Fri-Sat data, if current day is before Friday (like Tuesday). But I need to select Fri and Sat of current week even if current day is Mon, Tue etc.

In addition, it will be great if I'll be able to modify Times.config, so that that predefined time will appear as a new option in default time picker.
Any help will be great!!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

newbie2tech
Communicator
‎06-05-2017 01:22 PM

Try this..my splunk version is 6.5.2......irrespective of it have your default time picker values as
@w+5d+20h
@w+6d+5h
and then use those tokens in your search query. Just tested it and it works fine for me.

timepicker

<input type="time" token="field1">
  <label>PickTime</label>
  <default>
    <earliest>@w+5d+20h</earliest>
    <latest>@w+6d+5h</latest>
  </default>
</input>


<panel>
  <event>
    <search>
      <query>index="abc"  </query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">20</option>
    <option name="list.drilldown">full</option>
    <option name="list.wrap">1</option>
    <option name="maxLines">5</option>
    <option name="raw.drilldown">full</option>
    <option name="rowNumbers">0</option>
    <option name="table.drilldown">all</option>
    <option name="table.sortDirection">asc</option>
    <option name="table.wrap">1</option>
    <option name="type">list</option>
  </event>
</panel>

View solution in original post

Reply
Solved! Jump to solution
Solution

newbie2tech
Communicator
‎06-05-2017 01:22 PM

Try this..my splunk version is 6.5.2......irrespective of it have your default time picker values as
@w+5d+20h
@w+6d+5h
and then use those tokens in your search query. Just tested it and it works fine for me.

timepicker

<input type="time" token="field1">
  <label>PickTime</label>
  <default>
    <earliest>@w+5d+20h</earliest>
    <latest>@w+6d+5h</latest>
  </default>
</input>


<panel>
  <event>
    <search>
      <query>index="abc"  </query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">20</option>
    <option name="list.drilldown">full</option>
    <option name="list.wrap">1</option>
    <option name="maxLines">5</option>
    <option name="raw.drilldown">full</option>
    <option name="rowNumbers">0</option>
    <option name="table.drilldown">all</option>
    <option name="table.sortDirection">asc</option>
    <option name="table.wrap">1</option>
    <option name="type">list</option>
  </event>
</panel>
Reply
Solved! Jump to solution

dsiob
Communicator
‎06-05-2017 10:09 PM

Yes! it works. How can I add this default time as a option in time picker (as there are Relative, Date range etc.)

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎06-05-2017 06:31 AM

i'll need to noodle on that first part, but for the time picker, if you go to Settings>User interface>Time ranges, you can add a new time range there. set the permissions for everyone who needs it and you should be good.

0 Karma
Reply
Solved! Jump to solution

dsiob
Communicator
‎06-05-2017 11:51 PM

thanks @cmerriman, adding Time Range worked!! Can I add this Range as part of main menu as there are 'Preset' etc, not under 'Preset'.

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎06-05-2017 06:45 AM

so testing some stuff out, this i think will get you there, however if no data is available for future days (today is Monday, June 5th, I have no data for Friday, June 10th), it will come up empty.

index=XXX earliest=@w5+20h latest=+1w@w6+5h|eval earliest=if(strftime(now(),"%a")="Mon" OR strftime(now(),"%a")="Tue" OR strftime(now(),"%a")="Wed" OR strftime(now(),"%a")="Thu",relative_time(_time,"+1w@w5+20h"),_time)|eval latest=if(strftime(now(),"%a")="Mon" OR strftime(now(),"%a")="Tue" OR strftime(now(),"%a")="Wed" OR strftime(now(),"%a")="Thu",relative_time(_time,"+1w@w6+5h"),relative_time(_time,"@w6+5h"))|where _time>=earliest AND _time<=latest
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...