All Apps and Add-ons

Multiple TimeRangePicker for one query

rmorlen
Splunk Employee
Splunk Employee

We have a query similar to:

| set intersect
[
search index=main earliest=3/12/2014:0:0:0 latest=3/13/2014:0:0:0 | eval Error=substr(message_text,0,75) | dedup Error | table Error
]
[
set diff

[
search index=main earliest=3/12/2014:0:0:0 latest=3/13/2014:0:0:0 | eval Error=substr(message_text,0,75) | dedup Error | table Error
]
[
search index=main earliest=3/01/2014:0:0:0 latest=3/07/2014:0:0:0 | eval Error=substr(message_text,0,75) | dedup JVM_Error | table Error
]
]
| table Error

We would like to have a dashboard with 3 TimeRangePickers, one for each subsearch.

Any idea how I could do this using sideview utils?

0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

Yes you can do this. At some point in the future Sideview will have it's own TimePicker module that will be a little more flexible than Splunk's TimeRangePicker module. That module when it comes will make this actually a very simple thing to do.

However here the workaround is pretty ugly... I'm sorry. But we take Sideview ValueSetter modules and basically use them to rename the inflexible output of the TimeRangePicker into something more usable. (In truth even the whole $search.timeRange.earliest$ key is itself something added by Sideview Utils, but that's another story)

Here's a working example:

<module name="TimeRangePicker">
  <param name="default">Last 24 hours</param>

  <module name="ValueSetter">
    <param name="arg.stashedEarliest1">$search.timeRange.earliest$</param>
    <param name="arg.stashedLatest1">$search.timeRange.latest$</param>

    <module name="TimeRangePicker">
      <param name="default">Last 7 days</param>

      <module name="ValueSetter">
        <param name="arg.stashedEarliest2">$search.timeRange.earliest$</param>
        <param name="arg.stashedLatest2">$search.timeRange.latest$</param>

        <module name="TimeRangePicker">
          <param name="default">last 60 minutes</param>

          <module name="ValueSetter">
            <param name="arg.stashedEarliest3">$search.timeRange.earliest$</param>
            <param name="arg.stashedLatest3">$search.timeRange.latest$</param>

            <module name="HTML">
              <param name="html"><![CDATA[
              $stashedEarliest1$ - $stashedLatest1$<br>
              $stashedEarliest2$ - $stashedLatest2$<br>
              $stashedEarliest3$ - $stashedLatest3$<br>
              ]]></param>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
</module>

One thing you'll notice though that is a little weird, is that the second TimeRangePicker will set itself to the value of the first, and the third will then set itself to the value of the second. This is just the normal form-element convention applying -- the modules see a key coming from upstream that matches their own key. Splunk's TimeRangePicker module has no "name" param like a Sideview module would have, so all three TimeRangePicker's think they're the same key so they all try and align themselves to eachother. =/

We can again use ValueSetter to workaround this problem for us. Here we tell ValueSetter to obliterate the TimeRangePicker keys at the same time as its stashing it.

And this last example, finally, is what you're asking for:

<module name="TimeRangePicker">
  <param name="default">Last 24 hours</param>

  <module name="ValueSetter">
    <param name="arg.stashedEarliest1">$search.timeRange.earliest$</param>
    <param name="arg.stashedLatest1">$search.timeRange.latest$</param>
    <param name="arg.search.timeRange.earliest"> </param>
    <param name="arg.search.timeRange.latest"> </param>

    <module name="TimeRangePicker">
      <param name="default">Last 7 days</param>

      <module name="ValueSetter">
        <param name="arg.stashedEarliest2">$search.timeRange.earliest$</param>
        <param name="arg.stashedLatest2">$search.timeRange.latest$</param>
        <param name="arg.search.timeRange.earliest"> </param>
        <param name="arg.search.timeRange.latest"> </param>

        <module name="TimeRangePicker">
          <param name="default">last 60 minutes</param>

          <module name="ValueSetter">
            <param name="arg.stashedEarliest3">$search.timeRange.earliest$</param>
            <param name="arg.stashedLatest3">$search.timeRange.latest$</param>
            <param name="arg.search.timeRange.earliest"> </param>
            <param name="arg.search.timeRange.latest"> </param>

            <module name="HTML">
              <param name="html"><![CDATA[
              $stashedEarliest1$ - $stashedLatest1$<br>
              $stashedEarliest2$ - $stashedLatest2$<br>
              $stashedEarliest3$ - $stashedLatest3$<br>
              ]]></param>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
</module>

Like I said, it's super ugly. When the Sideview TimePicker comes along to replace TimeRangePicker this will fold down to like three lines of XML.

Also remember that it's best to use the various $stashedEarliest1$ keys like this:

<module name="Search">
  <param name="search">some search | timechart count by foo</param>
  <param name="earliest">$stashedEarliest1$</param>
  <param name="latest">$stashedLatest1$</param>

I understand that with your use case you have to put the tokens right into the search language, but just for others reading - it's better for several reasons if you can put it into the earliest/latest params instead of into the search string.

View solution in original post

sideview
SplunkTrust
SplunkTrust

Yes you can do this. At some point in the future Sideview will have it's own TimePicker module that will be a little more flexible than Splunk's TimeRangePicker module. That module when it comes will make this actually a very simple thing to do.

However here the workaround is pretty ugly... I'm sorry. But we take Sideview ValueSetter modules and basically use them to rename the inflexible output of the TimeRangePicker into something more usable. (In truth even the whole $search.timeRange.earliest$ key is itself something added by Sideview Utils, but that's another story)

Here's a working example:

<module name="TimeRangePicker">
  <param name="default">Last 24 hours</param>

  <module name="ValueSetter">
    <param name="arg.stashedEarliest1">$search.timeRange.earliest$</param>
    <param name="arg.stashedLatest1">$search.timeRange.latest$</param>

    <module name="TimeRangePicker">
      <param name="default">Last 7 days</param>

      <module name="ValueSetter">
        <param name="arg.stashedEarliest2">$search.timeRange.earliest$</param>
        <param name="arg.stashedLatest2">$search.timeRange.latest$</param>

        <module name="TimeRangePicker">
          <param name="default">last 60 minutes</param>

          <module name="ValueSetter">
            <param name="arg.stashedEarliest3">$search.timeRange.earliest$</param>
            <param name="arg.stashedLatest3">$search.timeRange.latest$</param>

            <module name="HTML">
              <param name="html"><![CDATA[
              $stashedEarliest1$ - $stashedLatest1$<br>
              $stashedEarliest2$ - $stashedLatest2$<br>
              $stashedEarliest3$ - $stashedLatest3$<br>
              ]]></param>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
</module>

One thing you'll notice though that is a little weird, is that the second TimeRangePicker will set itself to the value of the first, and the third will then set itself to the value of the second. This is just the normal form-element convention applying -- the modules see a key coming from upstream that matches their own key. Splunk's TimeRangePicker module has no "name" param like a Sideview module would have, so all three TimeRangePicker's think they're the same key so they all try and align themselves to eachother. =/

We can again use ValueSetter to workaround this problem for us. Here we tell ValueSetter to obliterate the TimeRangePicker keys at the same time as its stashing it.

And this last example, finally, is what you're asking for:

<module name="TimeRangePicker">
  <param name="default">Last 24 hours</param>

  <module name="ValueSetter">
    <param name="arg.stashedEarliest1">$search.timeRange.earliest$</param>
    <param name="arg.stashedLatest1">$search.timeRange.latest$</param>
    <param name="arg.search.timeRange.earliest"> </param>
    <param name="arg.search.timeRange.latest"> </param>

    <module name="TimeRangePicker">
      <param name="default">Last 7 days</param>

      <module name="ValueSetter">
        <param name="arg.stashedEarliest2">$search.timeRange.earliest$</param>
        <param name="arg.stashedLatest2">$search.timeRange.latest$</param>
        <param name="arg.search.timeRange.earliest"> </param>
        <param name="arg.search.timeRange.latest"> </param>

        <module name="TimeRangePicker">
          <param name="default">last 60 minutes</param>

          <module name="ValueSetter">
            <param name="arg.stashedEarliest3">$search.timeRange.earliest$</param>
            <param name="arg.stashedLatest3">$search.timeRange.latest$</param>
            <param name="arg.search.timeRange.earliest"> </param>
            <param name="arg.search.timeRange.latest"> </param>

            <module name="HTML">
              <param name="html"><![CDATA[
              $stashedEarliest1$ - $stashedLatest1$<br>
              $stashedEarliest2$ - $stashedLatest2$<br>
              $stashedEarliest3$ - $stashedLatest3$<br>
              ]]></param>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
</module>

Like I said, it's super ugly. When the Sideview TimePicker comes along to replace TimeRangePicker this will fold down to like three lines of XML.

Also remember that it's best to use the various $stashedEarliest1$ keys like this:

<module name="Search">
  <param name="search">some search | timechart count by foo</param>
  <param name="earliest">$stashedEarliest1$</param>
  <param name="latest">$stashedLatest1$</param>

I understand that with your use case you have to put the tokens right into the search language, but just for others reading - it's better for several reasons if you can put it into the earliest/latest params instead of into the search string.

rmorlen
Splunk Employee
Splunk Employee

Great! Thanks. Now when will the new TimePicker be out? 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...