Splunk Search

Changing the search used, based upon the time range selected

jdunlea_splunk
Splunk Employee
Splunk Employee

I am wondering if we can change a search on a dashboard based upon the time range selected.

EG: I have a hidden search module which runs a dashboard. The search looks for: "index=A foo=X". However this is fine for the last 24 hours.... but if i select the last 7 days, I want the search to be "index=A foo=Y"

Is there a way to change these underlying searches based upon the selection of a different time range?

Thanks!

1 Solution

dwaddle
SplunkTrust
SplunkTrust

Not an elegant way, but a way that does seem to work and is suitable for use in a dashboard. Use a subsearch.

index=A 
[ 
   search index=A
   | head 1 
   | addinfo 
   | eval foo=if(info_max_time-info_min_time <= 86400,"X","Y") 
   | fields foo
]

This will let the subsearch compute the value for foo based on the relative values of info_max_time and info_min_time that addinfo includes into the search.

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

Not an elegant way, but a way that does seem to work and is suitable for use in a dashboard. Use a subsearch.

index=A 
[ 
   search index=A
   | head 1 
   | addinfo 
   | eval foo=if(info_max_time-info_min_time <= 86400,"X","Y") 
   | fields foo
]

This will let the subsearch compute the value for foo based on the relative values of info_max_time and info_min_time that addinfo includes into the search.

jdunlea_splunk
Splunk Employee
Splunk Employee

Nice! That looks like it will work.

I will try it and update if I see any related issues.

Thanks!

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...