 
					
				
		
I'm trying to compare two time ranges in one chart like the way it was taught in this article: https://www.splunk.com/blog/2012/02/19/compare-two-time-ranges-in-one-report.html
My question is how should I change the query so that I can display it in a dashboard and be able to change the time range (eg display the two time range 3 hours ago and last week same time 3 hours ago)?
Ex. the time token is called "bandwidth_time_range", and my query will be:
index=xxx earliest=$bandwidth_time_range.earliest$ latest=$bandwidth_time_range.latest$  |eval period="today"|  append [search index=xxx earliest=$bandwidth_time_range.earliest$-7d@m latest=$bandwidth_time_range.latest$-7d@m  | eval period="last_week"   | eval _time=_time+(60*60*24*7)]  | timechart span=1m sum(bytes) by period
The panel didn't return a timechart. Instead it says "invalid value "now-7d@m" for time term "latest""
Is there any thing I can do to link the query and the time picker together?
 
					
				
		
@everynameIwantistaken if you want to substitute time ranges ( i.e. current time range and time range 7 days back) based on Time picker, you can refer to following answer which sets the time token based on independent search with either addinfo or eval to set token: https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html
The following run anywhere example uses addinfo to evaluate the earliest and latest time for current time and 7 days back. PS: For All Time the latest time will be +Infinity by addinfo command hence the same is converted to present time using now() function.
Please try out and confirm!
Following is the Simple XML Dashboard code for run anywhere example.
<form>
  <label>Time range based on Time Token</label>
  <!-- Set Token based on Time Picker -->
  <search>
    <query>| makeresults 
| addinfo
| eval info_max_time=if(info_max_time=="+Infinity",now(),info_max_time)
| eval lastWeekEarliestEpoch=if(info_min_time=0,"0",relative_time(info_min_time,"-7d"))
| eval lastWeekLatestEpoch=relative_time(info_max_time,"-7d")
    </query>
    <earliest>$tokTime.earliest$</earliest>
    <latest>$tokTime.latest$</latest>
    <done>
      <set token="tokCurrentEarlistEpoch">$result.info_min_time$</set>
      <set token="tokCurrentLatestEpoch">$result.info_max_time$</set>
      <set token="tokLastWeekEarliestEpoch">$result.lastWeekEarliestEpoch$</set>
      <set token="tokLastWeekLatestEpoch">$result.lastWeekLatestEpoch$</set>
    </done>
  </search>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| fields - _time
| eval CurrentEarlistEpoch=$tokCurrentEarlistEpoch$, CurrentLatestEpoch=$tokCurrentLatestEpoch$, LastWeekEarliestEpoch=$tokLastWeekEarliestEpoch$, LastWeekLatestEpoch=$tokLastWeekLatestEpoch$
| fieldformat CurrentEarlistEpoch=strftime(CurrentEarlistEpoch,"%Y-%m-%d %H:%M:%S")
| fieldformat CurrentLatestEpoch=strftime(CurrentLatestEpoch,"%Y-%m-%d %H:%M:%S")
| fieldformat LastWeekEarliestEpoch=strftime(LastWeekEarliestEpoch,"%Y-%m-%d %H:%M:%S")
| fieldformat LastWeekLatestEpoch=strftime(LastWeekLatestEpoch,"%Y-%m-%d %H:%M:%S")</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <input type="time" token="tokTime" searchWhenChanged="true">
        <label></label>
        <default>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
        </default>
      </input>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=INFO earliest=$tokCurrentEarlistEpoch$ latest=$tokCurrentLatestEpoch$ 
| timechart count as "Current Time Selected" 
| appendcols 
    [ search index=_internal sourcetype=splunkd log_level=INFO earliest=$tokLastWeekEarliestEpoch$ latest=$tokLastWeekLatestEpoch$ 
    | timechart count as "7 Days Prior" 
    | eval _time=relative_time(_time,"+7d")]</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
</form>
 
					
				
		
@everynameIwantistaken if you want to substitute time ranges ( i.e. current time range and time range 7 days back) based on Time picker, you can refer to following answer which sets the time token based on independent search with either addinfo or eval to set token: https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html
The following run anywhere example uses addinfo to evaluate the earliest and latest time for current time and 7 days back. PS: For All Time the latest time will be +Infinity by addinfo command hence the same is converted to present time using now() function.
Please try out and confirm!
Following is the Simple XML Dashboard code for run anywhere example.
<form>
  <label>Time range based on Time Token</label>
  <!-- Set Token based on Time Picker -->
  <search>
    <query>| makeresults 
| addinfo
| eval info_max_time=if(info_max_time=="+Infinity",now(),info_max_time)
| eval lastWeekEarliestEpoch=if(info_min_time=0,"0",relative_time(info_min_time,"-7d"))
| eval lastWeekLatestEpoch=relative_time(info_max_time,"-7d")
    </query>
    <earliest>$tokTime.earliest$</earliest>
    <latest>$tokTime.latest$</latest>
    <done>
      <set token="tokCurrentEarlistEpoch">$result.info_min_time$</set>
      <set token="tokCurrentLatestEpoch">$result.info_max_time$</set>
      <set token="tokLastWeekEarliestEpoch">$result.lastWeekEarliestEpoch$</set>
      <set token="tokLastWeekLatestEpoch">$result.lastWeekLatestEpoch$</set>
    </done>
  </search>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| fields - _time
| eval CurrentEarlistEpoch=$tokCurrentEarlistEpoch$, CurrentLatestEpoch=$tokCurrentLatestEpoch$, LastWeekEarliestEpoch=$tokLastWeekEarliestEpoch$, LastWeekLatestEpoch=$tokLastWeekLatestEpoch$
| fieldformat CurrentEarlistEpoch=strftime(CurrentEarlistEpoch,"%Y-%m-%d %H:%M:%S")
| fieldformat CurrentLatestEpoch=strftime(CurrentLatestEpoch,"%Y-%m-%d %H:%M:%S")
| fieldformat LastWeekEarliestEpoch=strftime(LastWeekEarliestEpoch,"%Y-%m-%d %H:%M:%S")
| fieldformat LastWeekLatestEpoch=strftime(LastWeekLatestEpoch,"%Y-%m-%d %H:%M:%S")</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <input type="time" token="tokTime" searchWhenChanged="true">
        <label></label>
        <default>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
        </default>
      </input>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=INFO earliest=$tokCurrentEarlistEpoch$ latest=$tokCurrentLatestEpoch$ 
| timechart count as "Current Time Selected" 
| appendcols 
    [ search index=_internal sourcetype=splunkd log_level=INFO earliest=$tokLastWeekEarliestEpoch$ latest=$tokLastWeekLatestEpoch$ 
    | timechart count as "7 Days Prior" 
    | eval _time=relative_time(_time,"+7d")]</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
</form>
 
					
				
		
thank you very much, this works perfectly
 
					
				
		
Hello,
I had a query where I search the same data 1 week ago for 1 hour.
....
| join type=outer _time 
[ search sourcetype=logs type=traffic service=HTTP* earliest=-1w@-1h latest=-1w | ....
Maybe you need to change your tokens to earliest=-1w@$bandwidth_time_range.earliest$ latest=-1w@$bandwidth_time_range.latest$
but I am not sure if it will work because of data time format. 
