- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk - How to not perform search for greater tha...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk - How to not perform search for greater than 30 days in Time Picker.
I have a Panel in a Dashboard which shows results of a Query and picks the time range from a TimePicker.
Goal: If the user selects time greater than 30 days in the TimePicker, the search for this specific panel's query should not search for more than 30 days. It should set the time range to 30 days only if user selects time greater than 30 days in TimePicker.
For time selected lesser than 30 days, this specific panel should display results for that selected time range.
This is how the current query for this panel looks like:
eventtype=$app_name$
| timechart span=1h count by _time- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See this example dashboard that has a time picker and 2 panels. The first panel is a simple search that does a count on events. The second panel shows you how you can manage the user's time selection.
You don't need to have this second panel visible, you can either hide it using <panel depends="$hidden$"> or you can just take the <search> fragment and put it at the root of your dashboard.
The idea is that the real search uses time selection based on tokens that are calculated by the second panel rather than the time picker. The second panel DOES use the time picker values and then does the 30 day check and controls as required.
<form>
<label>Time Picker Control</label>
<init>
<set token="earliest">-24h</set>
<set token="latest">now</set>
</init>
<fieldset submitButton="false">
<input type="time" token="time_range">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
<change>
<eval token="earliest">if(relative_time</eval>
</change>
</input>
</fieldset>
<row>
<panel>
<title>Simple timechart</title>
<chart>
<title>$ranges$</title>
<search>
<query>index=_audit
| timechart span=1h count</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
<panel>
<title>Calculation panel that limits historical range</title>
<table>
<search>
<done>
<set token="earliest">$result.earliest$</set>
<set token="latest">$result.info_max_time$</set>
<set token="ranges">$result.ranges$</set>
</done>
<query>| makeresults
| addinfo
| eval min_time=now()-(30*86400)
| eval earliest=if(info_min_time < min_time, min_time, info_min_time)
| eval initial_range="Time Picker range: ".strftime(info_min_time, "%F %T")." to ".strftime(info_max_time, "%F %T")
| eval limited_range="Search range ".strftime(earliest, "%F %T")." to ".strftime(info_max_time, "%F %T")
| eval ranges=mvappend(initial_range, limited_range)
| table ranges earliest info_min_time info_max_time</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
</search>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>Hope this helps
By the way using
| timechart span=1h count by _timeis not correct. You do not need 'by _time' with timechart as that is what it does anyway.
New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...
Improve Data Pipelines Using Splunk Data Management
3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?
