Post-process search with time picker to chance onl...

johnansett · ‎06-22-2018

Hello, not sure if this can be done, but figured I'd ask.

I have a dashboard with 4 base searches. I a row of tables which are post processed off them, which then drill down to another row of tables which is post processed from the same base search and finally that drills down to timechart, also post-processed from the same base search.

What I want to do is show the last 24 hours for the tables (which is set earliest/latest on the base search) but I want a time picker to be able to extend the timechart time range as desired. Is this possible? How can I do this, without effecting the results of the tables?

I can post the code if necessary.

Thanks!

gcusello · ‎06-22-2018

Hi johnansett,
I don't know if it's exactly what you want, but in Splunk Dashboard Examples ( https://splunkbase.splunk.com/app/1603/ ) there's a dashboard that could solve you need: "Pan and Zoom Chart Controls"
Using this dashboard you can use a panel to restrict time range for the other panels.
Bye.
Giuseppe

johnansett · ‎06-22-2018

Thanks, but I'm trying to go the other way. The goal is the tables provide a 24 hour view on the tables but they want to change the time on the timechart to 7 days, 30 days, etc. to see if this is a trend.

I can do it by using a separate search to power the timechart but defeats the purpose of the post-processing optimisation.

gcusello · ‎06-23-2018

you could put another time picker (or a different input) in the second panel that uses the first Time Picker as default.
Bye.
Giuseppe

Post-process search with time picker to chance only effect one panel/search

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes