How can I use a dashboard timepicker across two timeranges and a subsearch

pwild_splunk — Fri, 13 Jul 2018 10:33:02 GMT

I have a complex search query that is quite slow when run over a longer period of time. It populates a dashboard.
To improve the dashboard's performance, I'm using a summary index which is supplemented with yesterday's data every night but I also want to include today's data within the dashbaord.

To do this, my dashboard has a search like this:

Index=mysummary
| appendpipe
[ search index=mydata earliest=@d ]
| table my, fields, here

This works fine with the timepicker so long as latest is always now. If I choose something like "Previous week" in the timepicker on the dashboard, I still get today's data appended because of the "@d" in the subsearch.

How can I modify the subsearch to only include today's data if today falls within the range of the timepickers time wndow?

Re: How can I use a dashboard timepicker across two timeranges and a subsearch

skoelpin — Fri, 13 Jul 2018 11:47:11 GMT

I just solved a very similar problem.. I created a hidden panel in a dashboard which accepts the value from the timerange picker, and its output would look like earliest=<epoch> AND latest=<epoch> then used a token to pass this to the subsearch

https://answers.splunk.com/answers/664666/how-to-add-seconds-to-epoch-time-using-time-modifi.html

topic Re: How can I use a dashboard timepicker across two timeranges and a subsearch in Splunk Search

How can I use a dashboard timepicker across two timeranges and a subsearch

Re: How can I use a dashboard timepicker across two timeranges and a subsearch