Dear Splunk users,
I am working on an existing dashboard with certain inputs. These inputs are dynamically populated and uses a search query for that. However to filter the events on time, I see a token being used with "where" clause and the xml-tags <earliest> and <latest> are removed. I am just curious what is the default time range does the search pick in this case? The original token uses 2weeks span. I have attached source here.
I would really appreciate if you can provide references to your answers on splunk docs. Thanks and happy splunking 🙂
I am just wondering if the search for this input uses all-time
<input type="multiselect" token="Baseline" searchWhenChanged="true">
<label>Baseline</label>
<choice value="*">All (including unplanned)</choice>
<choice value="RB*">All (planned only)</choice>
<choice value="undefined">Unplanned</choice>
<fieldForLabel>Baseline</fieldForLabel>
<fieldForValue>Baseline</fieldForValue>
<search>
<query>index=abcd sourcetype="xyz"
| where strftime(_time, "%F")=$TIME_FILTER$
|dedup Baseline
|sort Baseline</query>
</search>
<valuePrefix>Baseline="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<default>*</default>
</input>
Token to filter time
<input type="dropdown" searchWhenChanged="true" token="TIME_FILTER">
<selectFirstChoice>true</selectFirstChoice>
<label>Time Picker</label>
<prefix>"</prefix>
<suffix>"</suffix>
<fieldForLabel>ttime</fieldForLabel>
<fieldForValue>ttime</fieldForValue>
<search>
<finalized>
<condition match="$result.today$!=$result.latestDate$">
<set token="LATEST_DATE">$result.latestDate$</set>
</condition>
<condition>
<unset token="LATEST_DATE"></unset>
</condition>
</finalized>
<query>| loadjob `savedsearch(xyz, $env:app$)`
| fields _time
| eval ttime = strftime(_time, "%F")
| eval today = strftime(now(), "%F")
| dedup ttime
| eventstats latest(ttime) as latestDate</query>
<earliest>-2w</earliest>
<latest>now</latest>
</search>
</input>
