Monitoring Splunk

How to restrict time range picker to specific period for search?

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hello Team,

Here, I want some way to restrict events to search more than a specific period.
eg. user can only select a time range for 3 months. whether it would be the last 3 months OR 1st Oct to 31-Dec OR any time range with or under 3months.

If the time range is more then 3 months it should prompt message and not allowed to execute any search.

So please share any ideas and any hint to do that.

Thanks in advanced.

Tags (1)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hello All,

I've found a way to put validation on time range picker. It is something like tricky but it's working. I've executed a search for validating time range. This search will return flag and will help to set a dummy tokens for executing a panel's search. I have designed a sample dashboard for same.

<form>
  <label>Time Range Validation Example</label>
  <search>
    <query>| makeresults | addinfo | eval diff=info_max_time-info_min_time, max=(2*86400) | eval allowed=if(max-diff <0,0,1)  | table allowed</query>
    <earliest>$timerange_tkn.earliest$</earliest>
    <latest>$timerange_tkn.latest$</latest>
    <done>
      <condition match="$result.allowed$ > 0">
        <set token="timerangetoken">  </set>
        <unset token="timerange_tknErr"></unset>
      </condition>
      <condition>
        <set token="timerange_tknErr">  </set>
        <unset token="timerangetoken"></unset>
      </condition>
    </done>
  </search>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="timerange_tkn" searchWhenChanged="true" id="timepicked_id">
      <label>Time Range</label>
      <default>
        <earliest>-1d@d</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row depends="$timerange_tknErr$">
    <panel>
      <html>
        <div id="timerange_tknErrMsg_id"/>
        <div class="alert alert-error">
          <i class="icon-alert"/>
          <span class="errorBackground"> Invalid time range.</span>
        </div>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <title>Count by sourcetype</title>
      <table>
        <search>
          <query>$timerangetoken$ index=_internal | head 1000 | stats count by sourcetype
            </query>
          <earliest>$timerange_tkn.earliest$</earliest>
          <latest>$timerange_tkn.latest$</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Happy Splunking

Kamlesh

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hello All,

I've found a way to put validation on time range picker. It is something like tricky but it's working. I've executed a search for validating time range. This search will return flag and will help to set a dummy tokens for executing a panel's search. I have designed a sample dashboard for same.

<form>
  <label>Time Range Validation Example</label>
  <search>
    <query>| makeresults | addinfo | eval diff=info_max_time-info_min_time, max=(2*86400) | eval allowed=if(max-diff <0,0,1)  | table allowed</query>
    <earliest>$timerange_tkn.earliest$</earliest>
    <latest>$timerange_tkn.latest$</latest>
    <done>
      <condition match="$result.allowed$ > 0">
        <set token="timerangetoken">  </set>
        <unset token="timerange_tknErr"></unset>
      </condition>
      <condition>
        <set token="timerange_tknErr">  </set>
        <unset token="timerangetoken"></unset>
      </condition>
    </done>
  </search>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="timerange_tkn" searchWhenChanged="true" id="timepicked_id">
      <label>Time Range</label>
      <default>
        <earliest>-1d@d</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row depends="$timerange_tknErr$">
    <panel>
      <html>
        <div id="timerange_tknErrMsg_id"/>
        <div class="alert alert-error">
          <i class="icon-alert"/>
          <span class="errorBackground"> Invalid time range.</span>
        </div>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <title>Count by sourcetype</title>
      <table>
        <search>
          <query>$timerangetoken$ index=_internal | head 1000 | stats count by sourcetype
            </query>
          <earliest>$timerange_tkn.earliest$</earliest>
          <latest>$timerange_tkn.latest$</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Happy Splunking

Kamlesh

0 Karma

inventsekar
Ultra Champion

i think this can be done only thru dashboard:
https://answers.splunk.com/answers/222650/limit-choices-in-default-timepicker.html

also, check this:
https://simonduff.net/splunk_restrict_time_range_picker/
from the above link - The downsides are that this is only works for custom dashboards and forms, and that these presets are just masked – a crafty user could disable this CSS and select these hidden items. However, Splunk provides sufficient restrictions as part of its RBAC model to limit users from doing long running or all time searches, if required.

You can grab an example app that demonstrates this configuration from https://github.com/sduff/restrict_timepicker.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@inventsekar

Thanks for reply. Basically, I'm looking for something like validation. I have already restricted using css but I want to keep open time range ( from date/time - to date/time). So the period between from and to date/time range should not be more then 3 months. So is that any JS or something to implement it?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...