Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help on an input time token

jip31
Motivator
‎01-25-2022 09:02 AM

Hello

I use an input time token called "timepicker"

<earliest>$timepicker.earliest$</earliest>
        <latest>$timepicker.latest$</latest>

 Is there a way to call this input time token directly in my search ?

Someting like this :

Index=toto sourcetype=tutu earliest=$timepicker$ latest=$timepicker$ 

Thanks 

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-28-2022 11:50 AM

If you have to use two different time windows then you'll need two base searches.

If you really want to use a single base search then you'll have to use only one time window.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎01-27-2022 08:01 AM

Is anybody can help please?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-25-2022 11:36 AM

Reference the tokens in the search the same way they are referenced the Simple XML.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎01-25-2022 09:55 PM

right, it works

earliest=$timesource.earliest$ latest=$timesource.latest$

But is it possible to add this token somewhere else than just after the index and the sourcetype?

for example, this doesnt works

| search earliest=$timesource.earliest$ latest=$timesource.latest$
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-26-2022 05:10 AM

Please explain what you mean by "this doesnt works".  What results do you get compared to what you expect?

Depending on what is in your query prior to the search command, you may be running into the known limitation described at https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Search#Using_the_search_command_l....

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎01-26-2022 09:12 AM

In my dashboard i use 2 input time tokens

I also use 2 base search in order to display data in 2 table panels

These 2 table panels refer to the 2 input time token 

As the search are the same i want to use just one base search instead two

Actually i use 2 base search due to the 2 différents input time token

The problem is that in my base search i cant refer to 2 différent input time token

So i search a way to use just one base search with 2 input time tokens...

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-28-2022 11:50 AM

If you have to use two different time windows then you'll need two base searches.

If you really want to use a single base search then you'll have to use only one time window.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

What's New in Splunk Observability - July 2025

What’s New?  We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what ...
Top