Splunk Search

Splunk - How to not perform search for greater than 30 days in Time Picker.

kirti_gupta12
Path Finder

I have a Panel in a Dashboard which shows results of a Query and picks the time range from a TimePicker. 

Goal: If the user selects time greater than 30 days in the TimePicker, the search for this specific panel's query should not search for more than 30 days. It should set the time range to 30 days only if user selects time greater than 30 days in TimePicker.
For time selected lesser than 30 days, this specific panel should display results for that selected time range. 

This is how the current query for this panel looks like:

eventtype=$app_name$ 
| timechart span=1h count by _time
0 Karma

bowesmana
SplunkTrust
SplunkTrust

@kirti_gupta12 

See this example dashboard that has a time picker and 2 panels. The first panel is a simple search that does a count on events. The second panel shows you how you can manage the user's time selection.

You don't need to have this second panel visible, you can either hide it using <panel depends="$hidden$"> or you can just take the <search> fragment and put it at the root of your dashboard.

The idea is that the real search uses time selection based on tokens that are calculated by the second panel rather than the time picker. The second panel DOES use the time picker values and then does the 30 day check and controls as required.

<form>
  <label>Time Picker Control</label>
  <init>
    <set token="earliest">-24h</set>
    <set token="latest">now</set>
  </init>
  <fieldset submitButton="false">
    <input type="time" token="time_range">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
      <change>
        <eval token="earliest">if(relative_time</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Simple timechart</title>
      <chart>
        <title>$ranges$</title>
        <search>
          <query>index=_audit
| timechart span=1h count</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
    <panel>
      <title>Calculation panel that limits historical range</title>
      <table>
        <search>
          <done>
            <set token="earliest">$result.earliest$</set>
            <set token="latest">$result.info_max_time$</set>
            <set token="ranges">$result.ranges$</set>
          </done>
          <query>| makeresults
| addinfo
| eval min_time=now()-(30*86400)
| eval earliest=if(info_min_time &lt; min_time, min_time, info_min_time)
| eval initial_range="Time Picker range: ".strftime(info_min_time, "%F %T")." to ".strftime(info_max_time, "%F %T")
| eval limited_range="Search range ".strftime(earliest, "%F %T")." to ".strftime(info_max_time, "%F %T")
| eval ranges=mvappend(initial_range, limited_range)
| table ranges earliest info_min_time info_max_time</query>
          <earliest>$time_range.earliest$</earliest>
          <latest>$time_range.latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Hope this helps

By the way using 

| timechart span=1h count by _time

is not correct.  You do not need 'by _time' with timechart as that is what it does anyway.

0 Karma
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...