Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Time Input to Form Not Working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe I've been overthinking this, but for the life of me I cannot get my Time Input to my form working! I'm using this documentation: http://docs.splunk.com/Documentation/Splunk/6.1.1/Viz/FormEditor#Add_a_time_input_to_a_for and this is my search string from my report:
index=main sourcetype=audit_main source=AUDIT_LOGS OS_USERNAME=%username%
I didn't see anything in the documentation that says I need to edit this search string. Even more importantly, however, I do not see a "Search Icon" when I go to edit a panel, let alone an option to "Edit Search String" or use a Shared Time Picker.
That said, I was able to get this partially working by playing around with the timerange a bit. My query works for items like last 15 minutes, last 24 hours, last 7 days, etc.....everything BUT for "All time". If I select "All time", get an error saying that they couldn't parse the search because of a comparator operator (Error in 'search' command: Unable to parse the search: Comparator '=' is missing a term on the right hand side.).
My source code is as follows:
<form>
<label>Cutomized Audit Log</label>
<description>Audit Log from Unified Audit Trail (custom table).</description>
<fieldset autoRun="false" submitButton="true">
<input type="text" token="username">
<label>Username</label>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="time" token="timerange" searchWhenChanged="true">
<label>Time</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Customized Audit Log</title>
<event>
<search>
<query>index=main sourcetype=audit_main source=AUDIT_LOGS OS_USERNAME=$username$ earliest=$timerange.earliest$ latest=$timerange.latest$</query>
<sampleRatio>1</sampleRatio>
</search>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">all</option>
<option name="table.sortDirection">asc</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
</event>
</panel>
</row>
</form>
What is going on? What am I doing wrong? Would greatly appreciate any help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should put earliest/latest in the xml instead of the search string:
<form>
<label>Cutomized Audit Log</label>
<description>Audit Log from Unified Audit Trail (custom table).</description>
<fieldset autoRun="false" submitButton="true">
<input type="text" token="username">
<label>Username</label>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="time" token="timerange" searchWhenChanged="true">
<label>Time</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Customized Audit Log</title>
<event>
<search>
<query>index=main sourcetype=audit_main source=AUDIT_LOGS OS_USERNAME=$username$</query>
<earliest>$timerange.earliest$</earliest>
<latest>$timerange.latest$</query>
<sampleRatio>1</sampleRatio>
</search>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">all</option>
<option name="table.sortDirection">asc</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
</event>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much!!! That solved my issue!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should put earliest/latest in the xml instead of the search string:
<form>
<label>Cutomized Audit Log</label>
<description>Audit Log from Unified Audit Trail (custom table).</description>
<fieldset autoRun="false" submitButton="true">
<input type="text" token="username">
<label>Username</label>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="time" token="timerange" searchWhenChanged="true">
<label>Time</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Customized Audit Log</title>
<event>
<search>
<query>index=main sourcetype=audit_main source=AUDIT_LOGS OS_USERNAME=$username$</query>
<earliest>$timerange.earliest$</earliest>
<latest>$timerange.latest$</query>
<sampleRatio>1</sampleRatio>
</search>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">all</option>
<option name="table.sortDirection">asc</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
</event>
</panel>
</row>
</form>
AppDynamics Summer Webinars
SOCin’ it to you at Splunk University
Credit Card Data Protection & PCI Compliance with Splunk Edge Processor
