Reporting

how to suppress "Your timerange was substituted based on your search string" message?

taozi021
Explorer

if i use earliest or latest in saved search,and use it in view, the annoying message will appear! how i can suppress it or eliminate it?

Tags (2)
1 Solution

William
Path Finder

One method is to modify the func "getHTMLTransform" in the "Message.js" to compare and filter your message exactly, for e.g.

getHTMLTransform: function(){
    var html = [];
    for(var i=0; i<this.messages.length; i++){
        var message = this.messages[i];
        if (message.content == "Your timerange was substituted based on your search string") {
            continue;
        };
        html.push('<li class="'+message.level+'">');
        html.push(this.getWikiTranform(message.content));
        html.push('</li>');
    }
    return html.join('');
}

View solution in original post

0 Karma

William
Path Finder

One method is to modify the func "getHTMLTransform" in the "Message.js" to compare and filter your message exactly, for e.g.

getHTMLTransform: function(){
    var html = [];
    for(var i=0; i<this.messages.length; i++){
        var message = this.messages[i];
        if (message.content == "Your timerange was substituted based on your search string") {
            continue;
        };
        html.push('<li class="'+message.level+'">');
        html.push(this.getWikiTranform(message.content));
        html.push('</li>');
    }
    return html.join('');
}
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

This change will get overwritten every time you upgrade without any prompting. This includes installations of service releases.

gkanapathy
Splunk Employee
Splunk Employee

Well, the simplest way is to not put the time range in the search string, but to use the earliest and latest paramters instead. These are available in saved searches, and can be specified in views.

therealdpk
Path Finder

This error still appears even if you specify earliest and latest, at least in 4.3.2, FWIW.

0 Karma

taozi021
Explorer

i have defined time range as a macro which make saved search more fiexible. there are many savesearch used the macro.thanks gkanapathy!

0 Karma

southeringtonp
Motivator

Variations of this question keep coming up. You can suppress it with the filter param of the Message module in advanced XML, but you'll filter out other messages as well.

Take a look at the following threads:

  • http://answers.splunk.com/questions/6372/your-timerange-was-substituted-based-on-your-search-string-...
  • http://answers.splunk.com/questions/6173/suppress-lookup-table-alert-in-message-module
  • http://answers.splunk.com/questions/3123/message-module-filter-values
  • While you're at it, you might also submit an enhancement request to Splunk and ask for more targeted filtering.

    southeringtonp
    Motivator

    Unless you can take it out of the search string altogether as gkanapathy suggests, I don't know of a cleaner solution. You could do something with CSS but that gets ugly fast. Remember though that converting to advanced XML might not be as bad as you think, since Splunk will do most of the work for you if you add ?showsource=1 to the URL of your existing view.

    0 Karma

    taozi021
    Explorer

    thanks a lot! while i have a large number of views(which not build in advanced way but in dashboard or form). i cannot transform all of them to advanced views, so there is other elegant solution? southeringtonp, thanks again!

    0 Karma
    Get Updates on the Splunk Community!

    Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

    March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

    What’s New in Splunk App for PCI Compliance 5.3.1?

    The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

    Extending Observability Content to Splunk Cloud

    Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...