Hello Team,
Here, I want some way to restrict events to search more than a specific period.
eg. user can only select a time range for 3 months. whether it would be the last 3 months OR 1st Oct to 31-Dec OR any time range with or under 3months.
If the time range is more then 3 months it should prompt message and not allowed to execute any search.
So please share any ideas and any hint to do that.
Thanks in advanced.
Hello All,
I've found a way to put validation on time range picker. It is something like tricky but it's working. I've executed a search for validating time range. This search will return flag and will help to set a dummy tokens for executing a panel's search. I have designed a sample dashboard for same.
<form>
<label>Time Range Validation Example</label>
<search>
<query>| makeresults | addinfo | eval diff=info_max_time-info_min_time, max=(2*86400) | eval allowed=if(max-diff <0,0,1) | table allowed</query>
<earliest>$timerange_tkn.earliest$</earliest>
<latest>$timerange_tkn.latest$</latest>
<done>
<condition match="$result.allowed$ > 0">
<set token="timerangetoken"> </set>
<unset token="timerange_tknErr"></unset>
</condition>
<condition>
<set token="timerange_tknErr"> </set>
<unset token="timerangetoken"></unset>
</condition>
</done>
</search>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="timerange_tkn" searchWhenChanged="true" id="timepicked_id">
<label>Time Range</label>
<default>
<earliest>-1d@d</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row depends="$timerange_tknErr$">
<panel>
<html>
<div id="timerange_tknErrMsg_id"/>
<div class="alert alert-error">
<i class="icon-alert"/>
<span class="errorBackground"> Invalid time range.</span>
</div>
</html>
</panel>
</row>
<row>
<panel>
<title>Count by sourcetype</title>
<table>
<search>
<query>$timerangetoken$ index=_internal | head 1000 | stats count by sourcetype
</query>
<earliest>$timerange_tkn.earliest$</earliest>
<latest>$timerange_tkn.latest$</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
Happy Splunking
Kamlesh
Hello All,
I've found a way to put validation on time range picker. It is something like tricky but it's working. I've executed a search for validating time range. This search will return flag and will help to set a dummy tokens for executing a panel's search. I have designed a sample dashboard for same.
<form>
<label>Time Range Validation Example</label>
<search>
<query>| makeresults | addinfo | eval diff=info_max_time-info_min_time, max=(2*86400) | eval allowed=if(max-diff <0,0,1) | table allowed</query>
<earliest>$timerange_tkn.earliest$</earliest>
<latest>$timerange_tkn.latest$</latest>
<done>
<condition match="$result.allowed$ > 0">
<set token="timerangetoken"> </set>
<unset token="timerange_tknErr"></unset>
</condition>
<condition>
<set token="timerange_tknErr"> </set>
<unset token="timerangetoken"></unset>
</condition>
</done>
</search>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="timerange_tkn" searchWhenChanged="true" id="timepicked_id">
<label>Time Range</label>
<default>
<earliest>-1d@d</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row depends="$timerange_tknErr$">
<panel>
<html>
<div id="timerange_tknErrMsg_id"/>
<div class="alert alert-error">
<i class="icon-alert"/>
<span class="errorBackground"> Invalid time range.</span>
</div>
</html>
</panel>
</row>
<row>
<panel>
<title>Count by sourcetype</title>
<table>
<search>
<query>$timerangetoken$ index=_internal | head 1000 | stats count by sourcetype
</query>
<earliest>$timerange_tkn.earliest$</earliest>
<latest>$timerange_tkn.latest$</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
Happy Splunking
Kamlesh
i think this can be done only thru dashboard:
https://answers.splunk.com/answers/222650/limit-choices-in-default-timepicker.html
also, check this:
https://simonduff.net/splunk_restrict_time_range_picker/
from the above link - The downsides are that this is only works for custom dashboards and forms, and that these presets are just masked – a crafty user could disable this CSS and select these hidden items. However, Splunk provides sufficient restrictions as part of its RBAC model to limit users from doing long running or all time searches, if required.
You can grab an example app that demonstrates this configuration from https://github.com/sduff/restrict_timepicker.
@inventsekar
Thanks for reply. Basically, I'm looking for something like validation. I have already restricted using css but I want to keep open time range ( from date/time - to date/time). So the period between from
and to
date/time range should not be more then 3 months. So is that any JS or something to implement it?