Splunk Search

Mutiple timepicker for same search

ma_anand1984
Contributor

I'm having a query that has a sub-search. I want to pass one time-period to outer query and another to sub-search.

I would like to do that using TWO Time Pickers.

How can i make it work. I can i uniquely identify a time picker?

Anand

0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

The ValueSetter trick should work. In the below don't think of the $search.timeRange.earliest$ and $search.timeRange.latest$ keys as the actual keys that TimeRangePicker outputs, or you'll make some bad assumptions. Instead think of them as a convenient second way that Sideview Utils gives you to get the timerange arguments. Basically the two value setters use these keys to stash away the first timerange before it gets clobbered by the second timerange.

<module name="TimeRangePicker">
  <param name="allowSoftSubmit">True</param>
  <param name="default">Last 7 days</param>

  <module name="ValueSetter">
    <param name="name">stashedEarliest</param>
    <param name="value">$search.timeRange.earliest$</param>

    <module name="ValueSetter">
      <param name="name">stashedLatest</param>
      <param name="value">$search.timeRange.latest$</param>

      <module name="TimeRangePicker">
        <param name="allowSoftSubmit">True</param>
        <param name="default">Last 24 hours</param>

I would make sure you're on latest Sideview Utils though, because in the 100+ bugs and fixes between 1.3.X and 2.X I'm pretty sure there were some problems found and fixed around these timerange keys.

View solution in original post

sideview
SplunkTrust
SplunkTrust

The ValueSetter trick should work. In the below don't think of the $search.timeRange.earliest$ and $search.timeRange.latest$ keys as the actual keys that TimeRangePicker outputs, or you'll make some bad assumptions. Instead think of them as a convenient second way that Sideview Utils gives you to get the timerange arguments. Basically the two value setters use these keys to stash away the first timerange before it gets clobbered by the second timerange.

<module name="TimeRangePicker">
  <param name="allowSoftSubmit">True</param>
  <param name="default">Last 7 days</param>

  <module name="ValueSetter">
    <param name="name">stashedEarliest</param>
    <param name="value">$search.timeRange.earliest$</param>

    <module name="ValueSetter">
      <param name="name">stashedLatest</param>
      <param name="value">$search.timeRange.latest$</param>

      <module name="TimeRangePicker">
        <param name="allowSoftSubmit">True</param>
        <param name="default">Last 24 hours</param>

I would make sure you're on latest Sideview Utils though, because in the 100+ bugs and fixes between 1.3.X and 2.X I'm pretty sure there were some problems found and fixed around these timerange keys.

sideview
SplunkTrust
SplunkTrust

I'm afraid you do need two. I've considered an alternate way of using ValueSetter, where you specify <param name="arg.someName">someValue</param>. This would only be an alternate way, not a replacement for the straight up name/value params. However this is still only at the tinkering stage and other priorities have consistently risen higher in the queue.

martin_mueller
SplunkTrust
SplunkTrust

Two param tags with the same name ("name", "value") would then overwrite each other.

0 Karma

ma_anand1984
Contributor

Thank you, do we really need to use two Valusetter module, i thought we can use two name value pairs in same module

0 Karma

ma_anand1984
Contributor

thank you. I thought of the same. I'm currently using a custom made pulldown

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The only way I see would be to rewrite the keys from the first TimeRangePicker with a ValueSetter to avoid being overwritten by the second TimeRangePicker - I have no idea whether this will work or not though.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...