Splunk Search

variables indicating the time range of the interactive search selection ?

elenzil
Path Finder

this one is a bit off the wall.

is there a variable i can use that represents the time range currently selected in the interactive selection thing ?

eg:

search foo | table bim bam selection_duration

where "selection_duration" would be the currently selection range in the timeline,
or, if there is no selection, then the entire range.

tia,
orion

Tags (1)
1 Solution

Ayn
Legend

Just use the addinfo command. It will create the fields containing epoch values for info_min_time (the lower timebound for the search, or 0 if no lower timebound exists), info_max_time (the upper timebound for the search, or current time if no upper timebound exists), and info_search_time (when the search was issued). So you could do something like:

... | addinfo | eval selection_duration=strftime(info_min_time,"%+") . " - " . strftime(info_max_time,"%+") | table bim bam selection_duration

View solution in original post

Ayn
Legend

Just use the addinfo command. It will create the fields containing epoch values for info_min_time (the lower timebound for the search, or 0 if no lower timebound exists), info_max_time (the upper timebound for the search, or current time if no upper timebound exists), and info_search_time (when the search was issued). So you could do something like:

... | addinfo | eval selection_duration=strftime(info_min_time,"%+") . " - " . strftime(info_max_time,"%+") | table bim bam selection_duration

elenzil
Path Finder

fantastic, thanks Ayn.
that works perfectly.

0 Karma

sideview
SplunkTrust
SplunkTrust

If you use the Sideview Utils app (meaning you have Sideview Utils installed, you have the SideviewUtils module included in the view, and you follow the basic instructions in the docs, ie use Search instead of HiddenSearch and other such changes), there are a couple ways.

1) somewhat simpler than you're asking --
$search.timeRange.earliest$ will be the earliest end of the timerange - an epochtime value for absolute timeranges, and a value like "-24h@h" for relative timeranges.
$search.timeRange.label$ will be human-readable things like "last 12 hours", suitable for use in the Sideview HTML module.

2) More what you're asking --
If you use a PostProcess module, to run a postprocess search of
| addinfo | head 1 | eval duration=info_max_time-info_min_time | table duration

after your search, and then downstream from the PostProcess you use the ResultsValueSetter module to pull the duration field down, then downstream from the ResultsValueSetter module you'll be able to use $duration$, and it'll be the number of seconds in the search time range.

If you aren't somewhat familiar with the advanced XML, and you haven't read the Sideview Utils examples a bit, this won't make much sense. I'll try and put an example of it in the Sideview Utils docs itself because it's a weird use case, but it comes up fairly regularly.

Conversely, if you don't use Sideview Utils, then aside from writing your own custom UI module from scratch I don't know of a way it can be done.

elenzil
Path Finder

thanks nick - i was actually unaware of SideView, and it seems like a very useful thing.

0 Karma

nick
Explorer

Ayn's answer is better - my answer is overkill. I thought you needed to get details about the timerange, downa s information in the dollar-token space (ie $foo$) in the module system.... On second read it sounds like you just need addinfo.

0 Karma
Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...