How to use 2 timepickers in splunk dashboard query

sngs0849 · ‎05-04-2020

I have a dashboard query where I am comparing some stats between 2 different dates. I am able to use one time picker but not sure how to remove - (earliest=1587963600 latest=1588050000) and take it as a paramerter from timepicker.

 source=table1 (earliest=1587963600 latest=1588050000)
    | JOIN type=inner id 
    [ SEARCH source=table1  
    | rename user_id AS id ] </query>
              <earliest>$currentStatus.earliest$</earliest>
              <latest>$currentStatus.latest$</latest>
            </search>

to4kawa · ‎05-04-2020

<query>source=table1 | rename user_id AS id | eval flag="current"
| append [ search source=table1 (earliest=1587963600 latest=1588050000) 
| eval flag="before" ]
| stats AsYouLike by id </query>

I don't have accurate information, so this is about it.

How to use 2 timepickers in splunk dashboard query

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!