I have a form that allows the user to input a text token. The idea is the user will input date and time information. I then would like to have a search on the form run starting 10 minutes before the value entered, and ending 10 min after.
I would like the user to be able to enter the value in a readable format, %m/%d/%y %T for example. I assume I will then have to convert it to epoc format so I can add / subtract 600 seconds. I can do this using … | convert mktime($user__input$) AS epoc_time | eval Start=epoc_time-600 | eval End=epoc+600
How can I now use these values to control the earliest and latest variables for the search?
Is there an easier way to do this all together?
I know I could just have the user perform the calculations and input the adjusted values into different tokens, but I would like to avoid that.
You could do it like this
… | convert mktime($user__input$) AS epoc_time
| eval Start=epoc_time-600
| eval End=epoc+600
| where _time >= Start AND _time <=End
However, this means that the initial search would run over all time, which is probably not what you want.
In a simple XML form, you can include the Time Range Picker, which I think will work much better for what you want...
<fieldset>
<input type="time">
</input>
</fieldset>
Thanks for the response, but I already have the time picker added to provide other functionality on the form.
The scope of the form is to look for events over a specific time, and then I was hoping to have a panel on the form that shows other events right before and right after the identified window..
For example, a list of people who logged on right before the start time, and people that logged off right after the end time.