I have a form that allows the user to input a text token. The idea is the user will input date and time information. I then would like to have a search on the form run starting 10 minutes before the value entered, and ending 10 min after.
I would like the user to be able to enter the value in a readable format, %m/%d/%y %T for example. I assume I will then have to convert it to epoc format so I can add / subtract 600 seconds. I can do this using … | convert mktime($user__input$) AS epoc_time | eval Start=epoc_time-600 | eval End=epoc+600
How can I now use these values to control the earliest and latest variables for the search?
Is there an easier way to do this all together?
I know I could just have the user perform the calculations and input the adjusted values into different tokens, but I would like to avoid that.
… | convert mktime($user__input$) AS epoc_time
| eval Start=epoc_time-600
| eval End=epoc+600
| where _time >= Start AND _time <=End
However, this means that the initial search would run over all time, which is probably not what you want.
In a simple XML form, you can include the Time Range Picker, which I think will work much better for what you want...