if i use earliest or latest in saved search,and use it in view, the annoying message will appear! how i can suppress it or eliminate it?
One method is to modify the func "getHTMLTransform" in the "Message.js" to compare and filter your message exactly, for e.g.
getHTMLTransform: function(){
var html = [];
for(var i=0; i<this.messages.length; i++){
var message = this.messages[i];
if (message.content == "Your timerange was substituted based on your search string") {
continue;
};
html.push('<li class="'+message.level+'">');
html.push(this.getWikiTranform(message.content));
html.push('</li>');
}
return html.join('');
}
One method is to modify the func "getHTMLTransform" in the "Message.js" to compare and filter your message exactly, for e.g.
getHTMLTransform: function(){
var html = [];
for(var i=0; i<this.messages.length; i++){
var message = this.messages[i];
if (message.content == "Your timerange was substituted based on your search string") {
continue;
};
html.push('<li class="'+message.level+'">');
html.push(this.getWikiTranform(message.content));
html.push('</li>');
}
return html.join('');
}
This change will get overwritten every time you upgrade without any prompting. This includes installations of service releases.
Well, the simplest way is to not put the time range in the search string, but to use the earliest
and latest
paramters instead. These are available in saved searches, and can be specified in views.
This error still appears even if you specify earliest and latest, at least in 4.3.2, FWIW.
i have defined time range as a macro which make saved search more fiexible. there are many savesearch used the macro.thanks gkanapathy!
Variations of this question keep coming up. You can suppress it with the filter
param of the Message module in advanced XML, but you'll filter out other messages as well.
Take a look at the following threads:
While you're at it, you might also submit an enhancement request to Splunk and ask for more targeted filtering.
Unless you can take it out of the search string altogether as gkanapathy suggests, I don't know of a cleaner solution. You could do something with CSS but that gets ugly fast. Remember though that converting to advanced XML might not be as bad as you think, since Splunk will do most of the work for you if you add ?showsource=1
to the URL of your existing view.
thanks a lot! while i have a large number of views(which not build in advanced way but in dashboard or form). i cannot transform all of them to advanced views, so there is other elegant solution? southeringtonp, thanks again!