Splunk Search

Set custom time as default for time picker

dsiob
Communicator

I need to set my custom time as default time, in time picker. So that in bar chart it will only show the data for that time. I have to show data of current week's Friday night to Saturday morning (say fri 8PM - sat 5AM ) by default, when I open the dashboard.
I tried this:
As I put

@w5+20h
@w6+5h

But It shows previous week Fri-Sat data, if current day is before Friday (like Tuesday). But I need to select Fri and Sat of current week even if current day is Mon, Tue etc.

In addition, it will be great if I'll be able to modify Times.config, so that that predefined time will appear as a new option in default time picker.
Any help will be great!!

0 Karma
1 Solution

newbie2tech
Communicator

Try this..my splunk version is 6.5.2......irrespective of it have your default time picker values as
@w+5d+20h
@w+6d+5h
and then use those tokens in your search query. Just tested it and it works fine for me.

timepicker

<input type="time" token="field1">
  <label>PickTime</label>
  <default>
    <earliest>@w+5d+20h</earliest>
    <latest>@w+6d+5h</latest>
  </default>
</input>


<panel>
  <event>
    <search>
      <query>index="abc"  </query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">20</option>
    <option name="list.drilldown">full</option>
    <option name="list.wrap">1</option>
    <option name="maxLines">5</option>
    <option name="raw.drilldown">full</option>
    <option name="rowNumbers">0</option>
    <option name="table.drilldown">all</option>
    <option name="table.sortDirection">asc</option>
    <option name="table.wrap">1</option>
    <option name="type">list</option>
  </event>
</panel>

View solution in original post

newbie2tech
Communicator

Try this..my splunk version is 6.5.2......irrespective of it have your default time picker values as
@w+5d+20h
@w+6d+5h
and then use those tokens in your search query. Just tested it and it works fine for me.

timepicker

<input type="time" token="field1">
  <label>PickTime</label>
  <default>
    <earliest>@w+5d+20h</earliest>
    <latest>@w+6d+5h</latest>
  </default>
</input>


<panel>
  <event>
    <search>
      <query>index="abc"  </query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">20</option>
    <option name="list.drilldown">full</option>
    <option name="list.wrap">1</option>
    <option name="maxLines">5</option>
    <option name="raw.drilldown">full</option>
    <option name="rowNumbers">0</option>
    <option name="table.drilldown">all</option>
    <option name="table.sortDirection">asc</option>
    <option name="table.wrap">1</option>
    <option name="type">list</option>
  </event>
</panel>

dsiob
Communicator

Yes! it works. How can I add this default time as a option in time picker (as there are Relative, Date range etc.)

0 Karma

cmerriman
Super Champion

i'll need to noodle on that first part, but for the time picker, if you go to Settings>User interface>Time ranges, you can add a new time range there. set the permissions for everyone who needs it and you should be good.

0 Karma

dsiob
Communicator

thanks @cmerriman, adding Time Range worked!! Can I add this Range as part of main menu as there are 'Preset' etc, not under 'Preset'.

0 Karma

cmerriman
Super Champion

so testing some stuff out, this i think will get you there, however if no data is available for future days (today is Monday, June 5th, I have no data for Friday, June 10th), it will come up empty.

index=XXX earliest=@w5+20h latest=+1w@w6+5h|eval earliest=if(strftime(now(),"%a")="Mon" OR strftime(now(),"%a")="Tue" OR strftime(now(),"%a")="Wed" OR strftime(now(),"%a")="Thu",relative_time(_time,"+1w@w5+20h"),_time)|eval latest=if(strftime(now(),"%a")="Mon" OR strftime(now(),"%a")="Tue" OR strftime(now(),"%a")="Wed" OR strftime(now(),"%a")="Thu",relative_time(_time,"+1w@w6+5h"),relative_time(_time,"@w6+5h"))|where _time>=earliest AND _time<=latest
0 Karma
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...