How do you display the earliest and latest dates of the searches in a dashboard that is later rendered into a PDF report?
This report gets mailed out once a week and with no earliest and latest dates it is pretty tough to keep track of them.
you could add a table showing the min and max _time, like that:
index=main | stats min(_time) AS startDate, max(_time) AS endDate | convert timeformat="%F %T" ctime(*Date)
Just add it as another element to the Dashboard in a table format.
If, like me, you don't want that information into a table but want to display it in some HTML or in the title of panels, edit the xml and locate the ... block. Witin it add a "done" clause like in this example:
<search> <query> ... </query> <earliest> ... </earliest> <latest> ... </latest> <done> <eval token="earliest_token"> stftime( relative_time( now(), $job.request.earliest_time$ ), "%c" ) </eval> <eval token="latest_token"> stftime( relative_time( now(), $job.request.latest_time$ ), "%c" ) </eval> </done> </search>
Then you can do things like:
<row> <panel> <html> <p>Showing data from $earliest_token$ to $latest_token$.</p> </html> </panel> </row>
There is many ways this can be tweaked to your preference, starting with the format you give to strftime. This example assumes that the earliest/latest are relative times such as "-7d@d" etc. You'll need to update the eval if they are epoch timestamps for instance.
Also, I'm using this with a base search at the top of the dashboard (outside any panel). If you're trying this with a search within a panel, I'm not a 100% sure the tokens will be available everywhere in the dashboard.
One slight annoyance with this solution is that the earliest/latest tokens are not populated until the search is done, but I haven't found how to avoid that. Works for me anyway.