All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to save the TimeRangePicker value?

kragel
Path Finder
‎03-06-2014 02:28 PM

I'm trying to execute multiple searches using the same value selected with TimeRangePicker. After the first search it appears that search resets to "(latest indexed event)". I don't want to present another TimeRangePicker each time I do a new search. I'd like to save the original setting for each future search. Any ideas? Thank you.

Here's the code where I have to present another TimeRangePicker to the user:

    <module name="TextField" layoutPanel="panel_row1_col1">
      <module name="Button">
        <param name="allowSoftSubmit">True</param>
        <module name="TimeRangePicker">
          <param name="default">Last 4 hours</param>
          <module name="Search">
            <param name="search">host=smtphost* |table _time,to
            <module name="JobProgressIndicator"/>
              <module name="Pager">
                <param name="count">10</param>
                <module name="Table">
                  <param name="hiddenFields"></param>
                  <module name="TimeRangePicker">
                    <param name="default">Last 4 hours</param>
                    <module name="Search" autoRun="False">
                      <param name="search">$row.fields.qid$ msgid | table _time,msgid</param>
                      <module name="JobProgressIndicator"/>
                      <module name="Pager">
                        <param name="count">10</param>
                        <module name="Table">
                          <param name="hiddenFields"></param>
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-06-2014 03:21 PM

In inline drilldown, if the user ever interacts with a Table, JSChart, FlashChart, or SimpleResultsTable module that has values for both _time and _span, then the drilldown automatically incorporates the absolute timerange of that row, as the timerange argument for subsequent drilldown searches.

timechart obviously outputs _time, although you may never have noticed or thought about the _span field that it outputs as well.

What's happening here, is that the drilldown sees the _time, but not the span, so it sets a timerange that is bounded on the earliest side by that time, and that is unbounded on the latest side. This is sort of the best it can do.

If you dont want this behavior, and you want the upstream TimeRangePicker to keep on applying, you can just rename the_time field to something else... once it's not called "_time", the UI wont do anything special to make it readable so it'll become a weird integer representing the number of seconds since 1970. But you can use eval with strftime() as necessary to convert it to a nice readable string-formatted time.

This has come up on quite a lot of other answers posts. Here is a good one. And while I dont think you technically do need to preserve the TimeRangePicker argument here for use downstream, the answer here does tell you how to do that.
http://answers.splunk.com/answers/81191/is-their-a-way-to-preserve-the-time-selected-value-from-time...

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-06-2014 03:21 PM

In inline drilldown, if the user ever interacts with a Table, JSChart, FlashChart, or SimpleResultsTable module that has values for both _time and _span, then the drilldown automatically incorporates the absolute timerange of that row, as the timerange argument for subsequent drilldown searches.

timechart obviously outputs _time, although you may never have noticed or thought about the _span field that it outputs as well.

What's happening here, is that the drilldown sees the _time, but not the span, so it sets a timerange that is bounded on the earliest side by that time, and that is unbounded on the latest side. This is sort of the best it can do.

If you dont want this behavior, and you want the upstream TimeRangePicker to keep on applying, you can just rename the_time field to something else... once it's not called "_time", the UI wont do anything special to make it readable so it'll become a weird integer representing the number of seconds since 1970. But you can use eval with strftime() as necessary to convert it to a nice readable string-formatted time.

This has come up on quite a lot of other answers posts. Here is a good one. And while I dont think you technically do need to preserve the TimeRangePicker argument here for use downstream, the answer here does tell you how to do that.
http://answers.splunk.com/answers/81191/is-their-a-way-to-preserve-the-time-selected-value-from-time...

Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...