Dashboards & Visualizations

Real-time option in time range picker for simple XML?

esachs
Splunk Employee
Splunk Employee

I have a form using simple XML. I have a timerange picker which applies to all the panels

<input type="time"/>    
    <input type="dropdown" token="timeSpan">
        <label>Time span for charts</label>
        <default>span=4h</span>
        <choice value="span=5m">5 Minute</choice>
        <choice value="span=10m">10 Minutes</choice>
        <choice value="span=1h">1 hour</choice>
        <choice value="span=4h">4 hours</choice>
        <choice value="span=24h">24 hours</choice>
        <choice value="span=7d">7 days</choice>
        <choice value="rt">Real-time</choice>
</input>

I'd like to add an option for a real-time selection with (say) a window of earliesttime=rt-4h, latesttime=rt. Can I do that ?

0 Karma

sideview
SplunkTrust
SplunkTrust

Im not 100% sure what you're ultimately doing with this dropdown either.

But it looks like you're using the <input type="time"/> to let the user set the timerange (which includes various real-time timeranges), and then you're giving them a dropdown to manually control the timespan of a timechart command below somewhere.

Assuming that's correct, the span argument to timechart has no effect on the realtime vs historical nature of the search. That determination is already made when the timerange was picked in the <input type="time"/> element...

One note: is that the values and the order and the grouping of the entries in the time pulldown can actually all be changed and customized for a given app by setting different stanzas in times.conf. This may be overkill for you but it might be worth knowing.

gkanapathy
Splunk Employee
Splunk Employee

Can you please clarify what you are doing? Is this picker choosing a bucket span for search results, or is it picking a time range for the search? It only makes sense to real-time if it is a range. (A bucket span in a RT search should be the same as a historical search.)

If it is picking a bucket span (suggested by span=XX), then could you instead just use the regular time picker and set bins=1 instead? I find that using either auto-bucket ranges in timechart or setting a number of bins works very well.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...