Developing for Splunk Platform

timerange in python custom command

dominiquevocat
Motivator

How can i get the earliest and latest time as epoch in a custom command written in python? Either its not possible, i am dense or the docu is not very detailed.

update:
What i need to set it two datetime fields in the format 2015-03-16-17-13-00 and i would like to get the timerange from the timerange picker. Alternative can be a calculated value and provide a form for easy usage. I use these parameters when calling a webservice.

0 Karma
1 Solution

Dev999
Path Finder

If you are using GeneratingCommand in python sdk, here is the answer, tested both at Search command and in a dashboard:

def generate(self):
   ....
   search_results = self.search_results_info
   logger.debug('search time: %s %s' % (str(search_results.search_et), str(search_results.search_lt)) )
   ....

Result:
search time: 1470837600.0 1471443921.0

View solution in original post

jaywang66
Loves-to-Learn

This works for me. I plan to do more fine tuned filter.

 

rr = results.ResultsReader(service.jobs.export("search host=App1 index=ftp _indextime>=1627665310 _indextime<1627665313"))
0 Karma

Dev999
Path Finder

If you are using GeneratingCommand in python sdk, here is the answer, tested both at Search command and in a dashboard:

def generate(self):
   ....
   search_results = self.search_results_info
   logger.debug('search time: %s %s' % (str(search_results.search_et), str(search_results.search_lt)) )
   ....

Result:
search time: 1470837600.0 1471443921.0

NathanielHunter
New Member

This works well for me until I selected the all time option, then an error telling me it can't read the property. Any ideas how to work around this issue?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

All time has no boundaries, so you won't have an earliest or latest property.

0 Karma

NathanielHunter
New Member

Right, but how do I prevent the search from crashing in this case, I tried to write the conditional search_results.search_et == None, but the search crashed before the comparison could occur.

I also tried search_results.get('search_et') and that crashed as well.

0 Karma

Dev999
Path Finder

so the "workaround" is kind of error checking (safe guard) by checking if they exist or not. In case of All time, you do nothing with it any way.

0 Karma

jason96
New Member

Thank you for your good answer!!!!

0 Karma

dominiquevocat
Motivator

Works nicely. I just might polish this half-assed PRTG custom command finally 🙂

0 Karma

Dev999
Path Finder

I know this is an old thread. But here is my solution:

create an regular time picker input field, and use earliest and latest as command parameter. The python can get the them as normal parameters.

  <input type="time" token="my_time" searchWhenChanged="false">
          <label>Time Range</label>
          <default>
            <earliest>-7d@h</earliest>
            <latest>now</latest>
          </default>

....

 <search>
          <query>|mycommand myparameters  earliest=$my_time.earliest$ latest=$my_time.latest$
          </query>
        </search>

It does not seem to have a built-in validator for time range. this brings a new question: is there a way to get the parsed time values? Hate to redo it as Splunk has already done it.

0 Karma

dominiquevocat
Motivator

looks like a fairly nice workaround, i will try it 🙂 but would really like to have it directly in one of the tuples

0 Karma

sloshburch
Splunk Employee
Splunk Employee

What exactly do you mean by "directly in one of the tuples"? I may have misunderstood originally.

0 Karma

dominiquevocat
Motivator

Hi SloshBurch, my question was regarding writing a custom command and take the search earliest and searchlatest for passing the timerange to filter a request to a api.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Ok, so you were not asking in response to what I posted. Just wanted to make sure.

0 Karma

Dev999
Path Finder

please ignore this answer. See the new one above.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

I'm surprised the $my_time$ calls don't work. You're on a recent release of Splunk, right?

The usual behavior is to refer to those tokens within similar <earliest> and <latest> tags as part of the search definition. You should be able to set that up in the UI without reverting to the source editor.

If that makes no sense, I can be more specific.

0 Karma

Dev999
Path Finder

this is for custom command, not regular Splunk search. the time range is used as parameters for a custom command that is consumed by python code on the Splunk server, not within dashboard page.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I fear this may not be possible, as I detailed in this answer: http://answers.splunk.com/answers/116430/earliest-and-latest-information-in-custom-python-search-com...
Until someone proves me wrong I'd go with the addinfo workaround.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You can always submit a feature request through the support portal at https://login.splunk.com/page/sso_redirect?type=portal

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The fields won't end up in the settings tuple, they will end up in the results tuple.

0 Karma

dominiquevocat
Motivator

ok, i see what you mean. The object results is of type list where the value is visible when i print it so i need to transform it. I hope i find a nice example :-). Can splunk please seriously consider passing the timerange pretty please? 🙂

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...