Search time range based on epoch token from drilld...

TalNiv · ‎02-20-2023

I have a dashboard which received a token named "time" by drilldown, which stores a specific time in epoch.

Now I want the searches in my dashboard to have a time range based on this epoch value.

I tried to use this token in "earliest" and "latest", i.e, <earliest>$time$</earliest>.

I worked only when I put the token as is, but not with any kind of simple arithmetic like <earliest>$time$ - 100000 </earliest>.

How can I use my epoch token to set the time ranges in my panels?

danspav · ‎02-21-2023

Hi @TalNiv ,

The easiest way is how @gcusello said - update the original dashboard to create two tokens for earliest / latest.

You can add this to the section where you create the $time$ token in the original dashboard:
<eval token="earliest">tonumber($time$) - 10000</eval>

If you don't have access to that dashboard there aren't many options. AFAIK you cannot use URL sourced tokens in the <init> section of your dashboard to do the same eval tag.

One very roundabout way is to create a dummy search, and create tokens off that. E.g. put this at the top of your dashboard under the label section:

<search>
<query>|makeresults | eval earliest=tonumber($time$) - 100000, latest=$time$</query>
<done>
<set token="earliest">$result.earliest$</set>
<set token="latest">$result.latest$</set>
</done>
</search>

Now you can use $earliest$ and $latest$ in your searches.

gcusello · ‎02-20-2023

Hi @TalNiv,

in the main dashboard create two fields earliest and latest (both in epochtime) and then pass them in drilldown.

Ciao.

Giuseppe

Search time range based on epoch token from drilldown, how can I use my epoch token to set the time ranges in my panels?

dashboard

drilldown

panel

token

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?