I need to set my custom time as default time, in time picker. So that in bar chart it will only show the data for that time. I have to show data of current week's Friday night to Saturday morning (say fri 8PM - sat 5AM ) by default, when I open the dashboard.
I tried this:
As I put
@w5+20h
@w6+5h
But It shows previous week Fri-Sat data, if current day is before Friday (like Tuesday). But I need to select Fri and Sat of current week even if current day is Mon, Tue etc.
In addition, it will be great if I'll be able to modify Times.config, so that that predefined time will appear as a new option in default time picker.
Any help will be great!!
Try this..my splunk version is 6.5.2......irrespective of it have your default time picker values as
@w+5d+20h
and then use those tokens in your search query. Just tested it and it works fine for me.
timepicker
<input type="time" token="field1">
<label>PickTime</label>
<default>
<earliest>@w+5d+20h</earliest>
<latest>@w+6d+5h</latest>
</default>
</input>
<panel>
<event>
<search>
<query>index="abc" </query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">all</option>
<option name="table.sortDirection">asc</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
</event>
</panel>
Try this..my splunk version is 6.5.2......irrespective of it have your default time picker values as
@w+5d+20h
and then use those tokens in your search query. Just tested it and it works fine for me.
timepicker
<input type="time" token="field1">
<label>PickTime</label>
<default>
<earliest>@w+5d+20h</earliest>
<latest>@w+6d+5h</latest>
</default>
</input>
<panel>
<event>
<search>
<query>index="abc" </query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">all</option>
<option name="table.sortDirection">asc</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
</event>
</panel>
Yes! it works. How can I add this default time as a option in time picker (as there are Relative, Date range etc.)
i'll need to noodle on that first part, but for the time picker, if you go to Settings>User interface>Time ranges, you can add a new time range there. set the permissions for everyone who needs it and you should be good.
thanks @cmerriman, adding Time Range worked!! Can I add this Range as part of main menu as there are 'Preset' etc, not under 'Preset'.
so testing some stuff out, this i think will get you there, however if no data is available for future days (today is Monday, June 5th, I have no data for Friday, June 10th), it will come up empty.
index=XXX earliest=@w5+20h latest=+1w@w6+5h|eval earliest=if(strftime(now(),"%a")="Mon" OR strftime(now(),"%a")="Tue" OR strftime(now(),"%a")="Wed" OR strftime(now(),"%a")="Thu",relative_time(_time,"+1w@w5+20h"),_time)|eval latest=if(strftime(now(),"%a")="Mon" OR strftime(now(),"%a")="Tue" OR strftime(now(),"%a")="Wed" OR strftime(now(),"%a")="Thu",relative_time(_time,"+1w@w6+5h"),relative_time(_time,"@w6+5h"))|where _time>=earliest AND _time<=latest