Solved: Time Input to Form Not Working

jroes014 · ‎01-09-2018

Maybe I've been overthinking this, but for the life of me I cannot get my Time Input to my form working! I'm using this documentation: http://docs.splunk.com/Documentation/Splunk/6.1.1/Viz/FormEditor#Add_a_time_input_to_a_for and this is my search string from my report:

index=main sourcetype=audit_main source=AUDIT_LOGS OS_USERNAME=%username%

I didn't see anything in the documentation that says I need to edit this search string. Even more importantly, however, I do not see a "Search Icon" when I go to edit a panel, let alone an option to "Edit Search String" or use a Shared Time Picker.

That said, I was able to get this partially working by playing around with the timerange a bit. My query works for items like last 15 minutes, last 24 hours, last 7 days, etc.....everything BUT for "All time". If I select "All time", get an error saying that they couldn't parse the search because of a comparator operator (Error in 'search' command: Unable to parse the search: Comparator '=' is missing a term on the right hand side.).

My source code is as follows:

<form>
  <label>Cutomized Audit Log</label>
  <description>Audit Log from Unified Audit Trail (custom table).</description>
  <fieldset autoRun="false" submitButton="true">
    <input type="text" token="username">
      <label>Username</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="time" token="timerange" searchWhenChanged="true">
      <label>Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Customized Audit Log</title>
      <event>
        <search>
          <query>index=main sourcetype=audit_main source=AUDIT_LOGS OS_USERNAME=$username$ earliest=$timerange.earliest$ latest=$timerange.latest$</query>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
      </event>
    </panel>
  </row>
</form>

What is going on? What am I doing wrong? Would greatly appreciate any help!

micahkemp · ‎01-09-2018

You should put earliest/latest in the xml instead of the search string:

 <form>
   <label>Cutomized Audit Log</label>
   <description>Audit Log from Unified Audit Trail (custom table).</description>
   <fieldset autoRun="false" submitButton="true">
     <input type="text" token="username">
       <label>Username</label>
       <default>*</default>
       <initialValue>*</initialValue>
     </input>
     <input type="time" token="timerange" searchWhenChanged="true">
       <label>Time</label>
       <default>
         <earliest>-24h@h</earliest>
         <latest>now</latest>
       </default>
     </input>
   </fieldset>
   <row>
     <panel>
       <title>Customized Audit Log</title>
       <event>
         <search>
           <query>index=main sourcetype=audit_main source=AUDIT_LOGS OS_USERNAME=$username$</query>
           <earliest>$timerange.earliest$</earliest>
           <latest>$timerange.latest$</query>
           <sampleRatio>1</sampleRatio>
         </search>
         <option name="list.drilldown">full</option>
         <option name="list.wrap">1</option>
         <option name="maxLines">5</option>
         <option name="raw.drilldown">full</option>
         <option name="rowNumbers">0</option>
         <option name="table.drilldown">all</option>
         <option name="table.sortDirection">asc</option>
         <option name="table.wrap">1</option>
         <option name="type">list</option>
       </event>
     </panel>
   </row>
 </form>

View solution in original post

jroes014 · ‎01-09-2018

Thank you so much!!! That solved my issue!

micahkemp · ‎01-09-2018

You should put earliest/latest in the xml instead of the search string:

 <form>
   <label>Cutomized Audit Log</label>
   <description>Audit Log from Unified Audit Trail (custom table).</description>
   <fieldset autoRun="false" submitButton="true">
     <input type="text" token="username">
       <label>Username</label>
       <default>*</default>
       <initialValue>*</initialValue>
     </input>
     <input type="time" token="timerange" searchWhenChanged="true">
       <label>Time</label>
       <default>
         <earliest>-24h@h</earliest>
         <latest>now</latest>
       </default>
     </input>
   </fieldset>
   <row>
     <panel>
       <title>Customized Audit Log</title>
       <event>
         <search>
           <query>index=main sourcetype=audit_main source=AUDIT_LOGS OS_USERNAME=$username$</query>
           <earliest>$timerange.earliest$</earliest>
           <latest>$timerange.latest$</query>
           <sampleRatio>1</sampleRatio>
         </search>
         <option name="list.drilldown">full</option>
         <option name="list.wrap">1</option>
         <option name="maxLines">5</option>
         <option name="raw.drilldown">full</option>
         <option name="rowNumbers">0</option>
         <option name="table.drilldown">all</option>
         <option name="table.sortDirection">asc</option>
         <option name="table.wrap">1</option>
         <option name="type">list</option>
       </event>
     </panel>
   </row>
 </form>

Time Input to Form Not Working

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability