Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Advanced Time Picker not returning correct value
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Advanced Time Picker not returning correct value
I have set a default custom time to between last week and this week Thursday, however the latest time is not being reflected correctly in the token myTimepickerUnixLatest. Instead, the myTimepickerUnixLatest token ends up being the exact same as myTimepickerUnixEarliest. I am not sure where I am going wrong, I believe the fault is lying in relative_time(now(),'latest').
<input type="time" token="time">
<label></label>
<default>
<earliest>@w4</earliest>
<latest>+1w@w4</latest>
</default>
<change>
<eval token="myTimepickerUnixEarliest">if(isnum('earliest'),'earliest',relative_time(now(),'earliest'))</eval>
<eval token="myTimepickerUnixLatest">if(isnum('latest'),'latest',relative_time(now(),'latest'))</eval>
<eval token="myTimepickerEarliest">strftime(myTimepickerUnixEarliest, "%B %d %Y %H:%M:%S")</eval>
<eval token="myTimepickerLatest">strftime(myTimepickerUnixLatest, "%B %d %Y %H:%M:%S")</eval>
</change>
</input>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@hawifaris please refer to one of my older answer to achieve this using independent search as a workaround since earliest and latest token do not work as expected: https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html
There are two option based on similar approach. Please try out and confirm!
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll admit I don't fully understand your use case, but have you looked at this link? https://docs.splunk.com/Documentation/Splunk/7.1.0/Viz/PanelreferenceforSimplifiedXML
The solution may lie in the section labeled "condition (form input)". I use this logic a lot to set multiple tokens based upon conditions that match the input's label or value. Maybe you can use this to set tokens that have relative ranges?
Plus, did you try set token instead of eval token? See the link I provided for the syntax.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
