Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using time range picker does not work in dashboard where report searches are used.

praspai
Path Finder
‎07-30-2015 07:07 AM

I have a dashboard where we have a reference to a report in a search. In the report we have values for all time ranges. In dashboard, I want to provide a time range picker box so we can see only a few records and graph depending upon the selected time range.

Even if I select a time range, its not working. Can someone suggest me how can I use it ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-30-2015 07:56 AM

Here are the common problems when adding a control.

If you are editing your source manually, you need to change from a dashboard to a form so you change the first and last tags from dashboard and /dashboard to form and /form. If you do not do this, none of your controls will function even if everything else is correct.

If you are not using a submit button, be sure to use searchWhenChanged="true":

THIS WORKS:

 <fieldset autoRun="true" submitButton="false">
    <input type="time" token="time_tok1" searchWhenChanged="true">
      <label></label>
      <default>Last 24 hours</default>
    </input>
  </fieldset>

THIS DOES NOT WORK:

 <fieldset autoRun="true" submitButton="false">
    <input type="time" token="time_tok1">
      <label></label>
      <default>Last 24 hours</default>
    </input>
  </fieldset>

Also, there are 2 basic formats for searches with times and they use different tags to access the timepicker value and they are NOT cross-compatible. It is easy to cross-match the syntax which will not give an error but it will not work. When you use search tags, use earliest and latest but when you use searchString or query tags, use earliestTime and latestTime:

<panel>
  <table>
    <title>THIS ONE WORKS</title>
    <search>
      <query>Your Search Here</query>
      <earliest>$time_tok1.earliest$</earliest>
      <latest>$time_tok1.latest$</latest>
    </search>
  </table>
</panel>
<panel>
  <table>
    <title>THIS ALSO WORKS</title>
    <searchString>Your Search Here</searchString>
    <earliestTime>$time_tok1.earliest$</earliestTime>
    <latestTime>$time_tok1.latest$</latestTime>
  </table>
</panel>
<panel>
  <table>
    <title>THIS ONE DOES NOT WORK</title>
    <search>
      <query>Your Search Here</query>
      <earliestTime>$time_tok1.earliest$</earliest>
      <latestTime>$time_tok1.latest$</latest>
    </search>
  </table>
</panel>
<panel>
  <table>
    <title>THIS ALSO DOES NOT WORK</title>
    <searchString>Your Search Here</searchString>
    <earliest>$time_tok1.earliest$</earliestTime>
    <latest>$time_tok1.latest$</latestTime>
  </table>
</panel>

View solution in original post

Reply
Solved! Jump to solution

nfilippi_splunk
Splunk Employee
Splunk Employee
‎08-04-2015 11:54 AM

There's some great information here.

Specific to the request here around being able to include a report on your dashboard, and use the time range from the dashboard picker rather than the report's time range, here is how you do it.

<form>
  <label>Test Report Time Range</label>

  <fieldset submitButton="false">
    <input type="time" token="time">
      <label></label>
      <default>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>

  <!-- Includes reference report, which by default, will use the time range defined in the report object -->
  <row>
    <panel>
      <table>
        <title>Reference Report using Report Time Range</title>

        <search ref="Top_Sourcetypes_Last_4_Hours"></search>

      </table>
    </panel>
  </row>

  <!-- Include reference report, but override the time range with the earliest/latest values set in the time picker above -->
  <row>
    <panel>
      <table>
        <title>Reference Report using Dashboard Picker Time Range</title>

        <search ref="Top_Sourcetypes_Last_4_Hours">
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>

      </table>
    </panel>
  </row>

</form>
Reply
Solved! Jump to solution

benton
Path Finder
‎07-18-2016 12:20 PM

Note, that if your saved-search is a scheduled report, then the and tags do not apply in the dashboard -as far as I can tell anyway. All of the data created by the scheduled search over the scheduled time-period is displayed. If you remove the schedule from the saved search, then the "earliest" and "latest" tags will be applied in the dashboard as described above.

0 Karma
Reply
Solved! Jump to solution

praspai
Path Finder
‎08-05-2015 06:45 AM

Thanks for the answers. I am new to splunk. I got the example in Dashboard examples where its suggested to define time range where Global search is defined in dashboard which solved my issue. 

<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-05-2015 06:48 AM

This exactly matches the answer that I first gave you (except that they named their token differently than I named mine). In any case, you should select an answer (yours or mine) and click "Accept" to close the question.

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-30-2015 07:56 AM

Here are the common problems when adding a control.

If you are editing your source manually, you need to change from a dashboard to a form so you change the first and last tags from dashboard and /dashboard to form and /form. If you do not do this, none of your controls will function even if everything else is correct.

If you are not using a submit button, be sure to use searchWhenChanged="true":

THIS WORKS:

 <fieldset autoRun="true" submitButton="false">
    <input type="time" token="time_tok1" searchWhenChanged="true">
      <label></label>
      <default>Last 24 hours</default>
    </input>
  </fieldset>

THIS DOES NOT WORK:

 <fieldset autoRun="true" submitButton="false">
    <input type="time" token="time_tok1">
      <label></label>
      <default>Last 24 hours</default>
    </input>
  </fieldset>

Also, there are 2 basic formats for searches with times and they use different tags to access the timepicker value and they are NOT cross-compatible. It is easy to cross-match the syntax which will not give an error but it will not work. When you use search tags, use earliest and latest but when you use searchString or query tags, use earliestTime and latestTime:

<panel>
  <table>
    <title>THIS ONE WORKS</title>
    <search>
      <query>Your Search Here</query>
      <earliest>$time_tok1.earliest$</earliest>
      <latest>$time_tok1.latest$</latest>
    </search>
  </table>
</panel>
<panel>
  <table>
    <title>THIS ALSO WORKS</title>
    <searchString>Your Search Here</searchString>
    <earliestTime>$time_tok1.earliest$</earliestTime>
    <latestTime>$time_tok1.latest$</latestTime>
  </table>
</panel>
<panel>
  <table>
    <title>THIS ONE DOES NOT WORK</title>
    <search>
      <query>Your Search Here</query>
      <earliestTime>$time_tok1.earliest$</earliest>
      <latestTime>$time_tok1.latest$</latest>
    </search>
  </table>
</panel>
<panel>
  <table>
    <title>THIS ALSO DOES NOT WORK</title>
    <searchString>Your Search Here</searchString>
    <earliest>$time_tok1.earliest$</earliestTime>
    <latest>$time_tok1.latest$</latestTime>
  </table>
</panel>
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-31-2015 06:49 AM

Given your clarification (you need to use a timerangepicker with a saved search), one of these 2 answer should work for you:

http://answers.splunk.com/answers/104947/timerangepicker-for-a-dashboard.html

http://answers.splunk.com/answers/109967/how-to-add-a-time-picker-in-a-dashboard-which-uses-a-hidden...

0 Karma
Reply
Solved! Jump to solution

praspai
Path Finder
‎07-30-2015 11:45 PM

Thanks for the answer... I checked this. It works for inline searches. But does not work with report base searches.

We have a report "Optimze_Report" which I reference in form as

In Panel I am trying to use it as

<panel>
  <chart>
    <search base="OptimizeData">
      <query>  ---- additional conditions to select only few rows from report---- </query>
      <earliest>$time_tok1.earliest$</earliest>
      <latest>$time_tok1.latest$</latest>
    </search>

I get the output but not depending on time range. All the values are shown in the graph instead.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...