Can I create a dashboard that the searches depend on time range selected?
For my case, I want to query 24 hours data from original index and timechart span=5min
When user selected time range larger than 24 hours, then it will search data from summary index and with timechart span=1h.
Does TimeRangePicker allow such customization?
Or I need to use Sideview?
Philip
There's a "hack" that allows you to choose a different summary index as the query-source depending on the selected timerange:
<your search> [ stats count | addinfo | eval range=info_max_time - info_min_time | eval search=if(range<=86400, "index=summary1", "index=summary2") ]
So this will expand to index=summary1 <your search>
if the selected timerange is less than a day and index=summary2 <your search>
otherwise.
Unfortunately this can't be used to alter the span parameter for the timerange command.
There's a "hack" that allows you to choose a different summary index as the query-source depending on the selected timerange:
<your search> [ stats count | addinfo | eval range=info_max_time - info_min_time | eval search=if(range<=86400, "index=summary1", "index=summary2") ]
So this will expand to index=summary1 <your search>
if the selected timerange is less than a day and index=summary2 <your search>
otherwise.
Unfortunately this can't be used to alter the span parameter for the timerange command.
Thank you so much! I think it can really solve my problem.
I'd like to learn more.
I think span is not a big concern
If you don't explicitly specify a span for timechart
it will pick an appropriate span automatically, which should be the easiest way of solving what you want to accomplish.
Yes... badly it becomes my next problem now...
I tried to fix the span=5m. But it's fine to retrieve per 1h data from summary index for 7 days. But if I change the range to 30 days, it will show nothing in timechart!
Ah, I missed the part of using the summary index instead of the default, sorry. To my knowledge this is not possible to do (or at least not easily done).
Indeed I have tried. Seems Splunk won't choose span=5min. (I guess 15min is the default minimal)
And I still have problem to make my index to be dynamic...
Thanks!