All Apps and Add-ons

TimeRangePicker as intention

menkurau
Path Finder

I would like to use the timerangepicker to pass the chosen date as an intention to a search. However, in reading the docs it does not appear to be something that can be done. I have looked a bit at Sideview but it does not appear to solve the problem. Can this be done?

0 Karma

sideview
SplunkTrust
SplunkTrust

No I don't think there's any way to have the TimeRangePicker's timerange plugged into an intention. Not without patching the relevant javascript a bit yourself.

This is I think quite possible with Sideview Utils, although Sideview Utils does away with the need for intentions so it's a bit different. You wouldn't plug the TimeRangePicker's arguments into an intention which then gets plugged into a search - you would simply plug the TimeRangePicker's arguments directly into the search, or into an HTML module, etc..

As an example, lets say you wanted to use the TimeRangePicker to determine the timerange for a particular search that gives back a set of hosts, but then you want to take all those hosts, and search for all the activity for those hosts, but just in the last 24 hours. In other words this is using the timerange only in a subsearch, and not in the outer search.

<module name="TimeRangePicker">
  <param name="selected">last 24 hours</param>
  <param name="searchWhenChanged">True</param>

  <module name="Search">
    <param name="search">search * [search earliest="$search.timeRange.earliest$" latest="$search.timeRange.latest$" | dedup host | fields host ] | timechart count 
    <param name="earliest">-24h</param>
    <param name="latest">now</param>

    <module name="JSChart" />
  </module>
</module>

Hopefully that helps. There's a great deal of documentation inside the Sideview Utils itself that can tell you more. Make sure to get the latest version from the Sideview site (http://sideviewapps.com/apps/sideview-utils ) rather than the much older version that's on Splunkbase.

sideview
SplunkTrust
SplunkTrust

Actually, never do that, ie putting $search.timeRange.earliest$ into the earliest param. Its completely redundant in all cases. 😃 You're making something trivial into something complex.

The outer search will pick up the TRP's arguments if earliest/latest are not set explicitly. And the subsearch will pick up whatever the outer search has, unless the subsearch contains explicit earliest="foo" and/or latest="bar" terms. And indeed if you put time terms into the subsearch you'll always get those nag messages. I can tell you how to remove them if they're appearing in the UI.

0 Karma

brettcave
Builder

Awesome, loving sideview 🙂

QUick question: if I set

<param name="earliest">$search.timeRange.earliest$</param>

would that still extract the active hosts from the selected time period, but return all events between $earliest$ and now? I have tried, but not sure which times are being overridden, as I see:

[subsearch]: [subsearch]: [subsearch]: Your timerange was substituted based on your search string
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...