Hi @abhishekP
This is an interesting one. When selecting a relative time window the earliest/latest are values like "-1d@d" which are valid for the earliest/latest field in a search - however when you select specific dates/between dates etc then it returns the full date string such as "2025-05-07T18:47:22.565Z"
Such a value is not supported by the earliest/latest field in a Splunk search, to get around this I have put together a table off the side of the display with a search which converts dates into epoch where required. you can then use "$timetoken:result.earliest_epoch$" and "$timetoken:result.latest_epoch$" as tokens in your other searches like this:
Below is the full JSON of the dashboard so you can have a play around with it - hopefully this helps!
{
"title": "testing",
"description": "",
"inputs": {
"input_global_trp": {
"options": {
"defaultValue": "-24h@h,now",
"token": "global_time"
},
"title": "Global Time Range",
"type": "input.timerange"
}
},
"defaults": {
"dataSources": {
"ds.search": {
"options": {
"queryParameters": {
"earliest": "$global_time.earliest$",
"latest": "$global_time.latest$"
}
}
}
}
},
"visualizations": {
"viz_2FDRkepv": {
"dataSources": {
"primary": "ds_IPGx8Y5Y"
},
"options": {},
"type": "splunk.events"
},
"viz_V1oldcrB": {
"options": {
"markdown": "earliest: $global_time.earliest$ \nlatest: $global_time.latest$ \nearliest_epoch: $timetoken:result.earliest_epoch$ \nlatest_epoch:$timetoken:result.latest_epoch$"
},
"type": "splunk.markdown"
},
"viz_bhZcZ5Cz": {
"containerOptions": {},
"context": {},
"dataSources": {
"primary": "ds_KXR2SF6V"
},
"options": {},
"showLastUpdated": false,
"showProgressBar": false,
"type": "splunk.table"
}
},
"dataSources": {
"ds_IPGx8Y5Y": {
"name": "timetoken",
"options": {
"enableSmartSources": true,
"query": "| makeresults \n| eval earliest=$global_time.earliest|s$, latest=$global_time.latest|s$\n| eval earliest_epoch = IF(match(earliest,\"[0-9]T[0-9]\"),strptime(earliest, \"%Y-%m-%dT%H:%M:%S.%3N%Z\"),earliest), latest_epoch = IF(match(latest,\"[0-9]T[0-9]\"),strptime(latest, \"%Y-%m-%dT%H:%M:%S.%3N%Z\"),latest)"
},
"type": "ds.search"
},
"ds_KXR2SF6V": {
"name": "Search_1",
"options": {
"query": "index=_internal earliest=$timetoken:result.earliest_epoch$ latest=$timetoken:result.latest_epoch$\n| stats count by host"
},
"type": "ds.search"
}
},
"layout": {
"globalInputs": [
"input_global_trp"
],
"layoutDefinitions": {
"layout_1": {
"options": {
"display": "auto",
"height": 960,
"width": 1440
},
"structure": [
{
"item": "viz_V1oldcrB",
"position": {
"h": 80,
"w": 310,
"x": 20,
"y": 20
},
"type": "block"
},
{
"item": "viz_2FDRkepv",
"position": {
"h": 260,
"w": 460,
"x": 1500,
"y": 20
},
"type": "block"
},
{
"item": "viz_bhZcZ5Cz",
"position": {
"h": 380,
"w": 1420,
"x": 10,
"y": 140
},
"type": "block"
}
],
"type": "absolute"
}
},
"tabs": {
"items": [
{
"label": "New tab",
"layoutId": "layout_1"
}
]
}
}
}🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
