Dashboards & Visualizations

Real-time option in time range picker for simple XML?

Splunk Employee
Splunk Employee

I have a form using simple XML. I have a timerange picker which applies to all the panels

<input type="time"/>    
    <input type="dropdown" token="timeSpan">
        <label>Time span for charts</label>
        <choice value="span=5m">5 Minute</choice>
        <choice value="span=10m">10 Minutes</choice>
        <choice value="span=1h">1 hour</choice>
        <choice value="span=4h">4 hours</choice>
        <choice value="span=24h">24 hours</choice>
        <choice value="span=7d">7 days</choice>
        <choice value="rt">Real-time</choice>

I'd like to add an option for a real-time selection with (say) a window of earliesttime=rt-4h, latesttime=rt. Can I do that ?

0 Karma


Im not 100% sure what you're ultimately doing with this dropdown either.

But it looks like you're using the <input type="time"/> to let the user set the timerange (which includes various real-time timeranges), and then you're giving them a dropdown to manually control the timespan of a timechart command below somewhere.

Assuming that's correct, the span argument to timechart has no effect on the realtime vs historical nature of the search. That determination is already made when the timerange was picked in the <input type="time"/> element...

One note: is that the values and the order and the grouping of the entries in the time pulldown can actually all be changed and customized for a given app by setting different stanzas in times.conf. This may be overkill for you but it might be worth knowing.

Splunk Employee
Splunk Employee

Can you please clarify what you are doing? Is this picker choosing a bucket span for search results, or is it picking a time range for the search? It only makes sense to real-time if it is a range. (A bucket span in a RT search should be the same as a historical search.)

If it is picking a bucket span (suggested by span=XX), then could you instead just use the regular time picker and set bins=1 instead? I find that using either auto-bucket ranges in timechart or setting a number of bins works very well.

0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...