Solved: Re: How to run searches using different time range...

dzyfer · ‎08-28-2022

Hi, I would like to know how to run searches using different time ranges in dropdown.

For example, an input in the dropdown would be labelled "Yesterday", and I would like to assign 2 different time ranges to the same label, such that I can run 2 different searches using the separate time ranges by just selecting one input from the dropdown.

I have tried defining 4 tokens under the same label, but it doesn't work, ie.

<choice value="yesterday">Yesterday</choice>
 <condition label="Yesterday">
  <set token="custom_earliest">-8d@d+7h</set>
  <set token="custom_latest">@d+7h</set>
  <set token="breakdown_earliest">-1d@d+7h</set>
  <set token="breakdown_latest">@d+7h</set>
</condition>

Thanks

chaker · ‎08-28-2022

A few things to try:

Print out the tokens in a panel to make sure they are being set to the value you expect. You may need to use dot notation, so what ever the token name of your input is.

my_date.custom_earliest
my_date.custom_latest

Try wrapping the time modifer in quotes

Try matching condition value instead of label. Should be the same, but worth a try.

View solution in original post

chaker · ‎08-28-2022

A few things to try:

Print out the tokens in a panel to make sure they are being set to the value you expect. You may need to use dot notation, so what ever the token name of your input is.

my_date.custom_earliest
my_date.custom_latest

Try wrapping the time modifer in quotes

Try matching condition value instead of label. Should be the same, but worth a try.

How to run searches using different time ranges in dropdown?

drilldown

form

simple XML

token

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!

Are you a member of the Splunk Community?