Dashboards & Visualizations

adjust earliest / latest values at search time


I have a form that allows the user to input a text token. The idea is the user will input date and time information. I then would like to have a search on the form run starting 10 minutes before the value entered, and ending 10 min after.

I would like the user to be able to enter the value in a readable format, %m/%d/%y %T for example. I assume I will then have to convert it to epoc format so I can add / subtract 600 seconds. I can do this using … | convert mktime($user__input$) AS epoc_time | eval Start=epoc_time-600 | eval End=epoc+600

How can I now use these values to control the earliest and latest variables for the search?

Is there an easier way to do this all together?

I know I could just have the user perform the calculations and input the adjusted values into different tokens, but I would like to avoid that.

0 Karma


You could do it like this

… | convert mktime($user__input$) AS epoc_time 
| eval Start=epoc_time-600 
| eval End=epoc+600
| where _time >= Start AND _time <=End

However, this means that the initial search would run over all time, which is probably not what you want.
In a simple XML form, you can include the Time Range Picker, which I think will work much better for what you want...

  <input type="time">
0 Karma


Thanks for the response, but I already have the time picker added to provide other functionality on the form.

The scope of the form is to look for events over a specific time, and then I was hoping to have a panel on the form that shows other events right before and right after the identified window..

For example, a list of people who logged on right before the start time, and people that logged off right after the end time.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!