Splunk Search

Different TimeRangePicker values for different reports in same app

oded4478
Explorer

Hi,

I have successfully configured in a times.conf file the options I want for each of two different TimeRangePickers for two separate reports in the same app.

But it seems I have to choose one configuration or the other, and cannot show different options on both reports.

Is there a way to define times.conf only for a specific report?
Or maybe another way of going about this?

Tags (1)
1 Solution

sideview
SplunkTrust
SplunkTrust

Nope - in a given view in a given app there can only be one times.conf at work.

One idea that springs to mind is to use Sideview Utils and use the Pulldown module to display a few options that are then submitted as the timerange. Here's a self-contained example.

<view autoCancelInterval="90" isVisible="true" onunloadCancelJobs="true" template="dashboard.html" isSticky="False">
  <label>Using a Pulldown as a time picker</label>
  <module name="AccountBar" layoutPanel="appHeader" />
  <module name="AppBar" layoutPanel="appHeader" />
  <module name="SideviewUtils" layoutPanel="appHeader" />

  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="maxSize">2</param>
    <param name="clearOnJobDispatch">False</param>
  </module>

  <module name="Pulldown" layoutPanel="panel_row1_col1" autoRun="True">
    <param name="name">customTimeString</param>
    <param name="label">Timerange </param>
    <param name="staticOptions">
      <list>
        <param name="label">last 15 minutes</param>
        <param name="value">-15min@min,@min</param>
      </list>
      <list>
        <param name="label">last 60 minutes</param>
        <param name="value">-60min@min,@min</param>
      </list>
      <list>
        <param name="label">Yesterday night</param>
        <param name="value">-1d@d+18h,@d</param>
      </list>
    </param>

    <module name="ValueSetter">
      <param name="name">customTime</param>
      <param name="value">$customTimeString$</param>
      <param name="delim">,</param>

      <module name="Search">
        <param name="search"><![CDATA[
          index=_internal source="*metrics.log" group="per_sourcetype_thruput" | stats max(eps) sum(kb) by series
        ]]></param>
        <param name="earliest">$customTime[0]$</param>
        <param name="latest">$customTime[1]$</param>

        <module name="HTML">
          <param name="html"><![CDATA[
            <h3>$results.count$ results $results.timeRange.label$</h3>
          ]]></param>
        </module>
        <module name="JobProgressIndicator" />
        <module name="Pager">
          <module name="Table"></module>
        </module>
      </module>
    </module>
  </module>

</view>

The basic idea is that we use the Pulldown to display our times. Here I've done it using static config although it would be easy to put them into different lookups and then load the timeranges from those lookups with the inputlookup command.

Then we use the ValueSetter module to split the output on the "," characters, thus giving us two separate keys.

Then we plug the two keys in as the actual timerange of our search.

I'm skipping over a lot obviously but Sideview Utils contains its own documentation and lots of embedded step-by-step tutorials and it can fill you in.

You'll need a relatively recent version of Sideview Utils app from the Sideview website ( http://sideviewapps.com/apps/sideview-utils ) rather than the relatively old version of the app that's on Splunkbase.

Note: while you could do the same sort-of idea using just core Splunk modules, it would be a great deal more verbose and complicated. You'd also need to use 2 intentions to create the time arguments and you'd be forced to put those time arguments into the search string because there would be no way to submit them as the actual time arguments. This last point means that you might get a lot of "your timerange was substituted based on your searchstring" messages. Although it would probably work it would take me a while to put together a working example whereas this one was pretty easy to throw together.

View solution in original post

sideview
SplunkTrust
SplunkTrust

Nope - in a given view in a given app there can only be one times.conf at work.

One idea that springs to mind is to use Sideview Utils and use the Pulldown module to display a few options that are then submitted as the timerange. Here's a self-contained example.

<view autoCancelInterval="90" isVisible="true" onunloadCancelJobs="true" template="dashboard.html" isSticky="False">
  <label>Using a Pulldown as a time picker</label>
  <module name="AccountBar" layoutPanel="appHeader" />
  <module name="AppBar" layoutPanel="appHeader" />
  <module name="SideviewUtils" layoutPanel="appHeader" />

  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="maxSize">2</param>
    <param name="clearOnJobDispatch">False</param>
  </module>

  <module name="Pulldown" layoutPanel="panel_row1_col1" autoRun="True">
    <param name="name">customTimeString</param>
    <param name="label">Timerange </param>
    <param name="staticOptions">
      <list>
        <param name="label">last 15 minutes</param>
        <param name="value">-15min@min,@min</param>
      </list>
      <list>
        <param name="label">last 60 minutes</param>
        <param name="value">-60min@min,@min</param>
      </list>
      <list>
        <param name="label">Yesterday night</param>
        <param name="value">-1d@d+18h,@d</param>
      </list>
    </param>

    <module name="ValueSetter">
      <param name="name">customTime</param>
      <param name="value">$customTimeString$</param>
      <param name="delim">,</param>

      <module name="Search">
        <param name="search"><![CDATA[
          index=_internal source="*metrics.log" group="per_sourcetype_thruput" | stats max(eps) sum(kb) by series
        ]]></param>
        <param name="earliest">$customTime[0]$</param>
        <param name="latest">$customTime[1]$</param>

        <module name="HTML">
          <param name="html"><![CDATA[
            <h3>$results.count$ results $results.timeRange.label$</h3>
          ]]></param>
        </module>
        <module name="JobProgressIndicator" />
        <module name="Pager">
          <module name="Table"></module>
        </module>
      </module>
    </module>
  </module>

</view>

The basic idea is that we use the Pulldown to display our times. Here I've done it using static config although it would be easy to put them into different lookups and then load the timeranges from those lookups with the inputlookup command.

Then we use the ValueSetter module to split the output on the "," characters, thus giving us two separate keys.

Then we plug the two keys in as the actual timerange of our search.

I'm skipping over a lot obviously but Sideview Utils contains its own documentation and lots of embedded step-by-step tutorials and it can fill you in.

You'll need a relatively recent version of Sideview Utils app from the Sideview website ( http://sideviewapps.com/apps/sideview-utils ) rather than the relatively old version of the app that's on Splunkbase.

Note: while you could do the same sort-of idea using just core Splunk modules, it would be a great deal more verbose and complicated. You'd also need to use 2 intentions to create the time arguments and you'd be forced to put those time arguments into the search string because there would be no way to submit them as the actual time arguments. This last point means that you might get a lot of "your timerange was substituted based on your searchstring" messages. Although it would probably work it would take me a while to put together a working example whereas this one was pretty easy to throw together.

the_wolverine
Champion

Nick, this worked perfectly for me. I was trying to find a way to create custom timeranges without affecting the entire Splunk userbase on our instance -- and without having to use a separate app. Thanks!!

0 Karma

oded4478
Explorer

Thank you very much Nick.
While a useful lead, a correct answer will be awarded for some details regarding implementation with only Core Splunk components.

0 Karma

sideview
SplunkTrust
SplunkTrust

If you're working on customer deployments and the customer ends up owning all of the work product, that is actually covered under the Sideview Free Internal Use Licensing Agreement. It's only if your company is selling its customers a license to use a product that your company is itself owning, then you run into our licensing restrictions and you would need the OEM license. Feel free to email me at nick [at] sideviewapps.com and I'm happy to talk by phone. Certainly a lot of Splunk consultants use Sideview Utils in the field. http://sideviewapps.com/apps/sideview-utils/testimonials

0 Karma

noambz
Explorer

Thanks for the detailed answer!
I will definitely take a look at the new version of SideView Utils in the near future,
But I've noticed it's not free in case we provide the reports for external clients.
While in the future I would gladly utilize a tool which saves me time, I need to provide this report soon and cannot wait for a purchase.
Can please you provide more details regarding the implementation using only Core Splunk modules?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...