Splunk Enterprise

Time Picker issue with Save Report Reference




I have a complicated dashboard that is based off of scheduled saved report. All menus and panels are fed off of one report. This report already has _time field. I am loking back max 30 days of data and this reflects in my adjustment in time picker as well. I want to be able to use timepicker in dashboard when I filter for various times. When I use saved search and token in below code, all works fine. But when I use saved search a a reference, tme picker does not work. What am I missing. Thanks in advance!!

<form theme="light">

  <search ref="TEST_au1_1" id="Main_Search">




  <label>TEST AU 1</label>

  <fieldset autoRun="true" submitButton="true">

    <input type="time" token="timerange" searchWhenChanged="false">

      <label>Time Range</label>






    <input type="dropdown" token="servertype" searchWhenChanged="false">

      <label>Server Type</label>




      <search base="Main_Search">

        <query>| stats dc(Server_Type) AS count By Server_Type</query>




    <input type="dropdown" token="accttype" searchWhenChanged="false">

      <label>Account Type</label>

      <choice value="*">All</choice>




      <search base="Main_Search">

        <query>| search Server_Type="$servertype$"

| stats dc(UserType) AS count By UserType</query>




    <input type="dropdown" token="user" searchWhenChanged="false">

      <label>User Filter:</label>

      <choice value="*">All</choice>



      <search base="Main_Search">

        <query>| search Server_Type="$servertype$" AND UserType="$accttype$"


| stats dc(User) as count BY User

| fields User</query>





    <input type="dropdown" token="priority" searchWhenChanged="false">

      <label>Priority Filter</label>

      <choice value="*">All</choice>



      <search base="Main_Search">

        <query>| search Server_Type="$servertype$" AND UserType="$accttype$" AND User="$user$"


| stats dc(Priority) as count by Priority

| fields Priority

| sort order</query>





    <input type="dropdown" token="results" searchWhenChanged="false">






      <search base="Main_Search">

        <query>| search Server_Type="$servertype$" AND UserType="$accttype$" AND User="$user$" AND Priority="$priority$"


| stats dc(Result) as count by Result

| fields Result</query>


      <choice value="*">All</choice>



  <row depends="$hide$">


      <title>This panel is for hiding unnccessary time ranges since we are using max 30 Days of data as per requirements. DO NOT Delete this panel.</title>






           button[data-test^='Previous business week'],

           button[data-test^='Business week to date'],

           button[data-test^='Year to date'],

           button[data-test^='Previous week'],

           button[data-test^='Previous month'],

           button[data-test^='Previous year'],








           display:none !important;









      <title>Events Timechart</title>


        <search base="Main_Search">

          <query>| search UserType="$accttype$" AND User="$user$" AND Priority="$priority$" AND Result="$results$"


| timechart count</query>


        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

        <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>

        <option name="charting.axisTitleX.visibility">collapsed</option>

        <option name="charting.axisTitleY.visibility">collapsed</option>

        <option name="charting.axisY.scale">linear</option>

        <option name="charting.axisY2.enabled">0</option>

        <option name="charting.chart">line</option>

        <option name="charting.chart.nullValueMode">gaps</option>

        <option name="charting.chart.resultTruncationLimit">1000000</option>

        <option name="charting.chart.showDataLabels">all</option>

        <option name="charting.chart.stackMode">default</option>

       <option name="charting.drilldown">none</option>

        <option name="charting.layout.splitSeries">0</option>

        <option name="charting.legend.labelStyle.overflowMode">ellipsisStart</option>

        <option name="charting.legend.placement">none</option>

        <option name="link.exportResults.visible">0</option>

        <option name="link.inspectSearch.visible">0</option>

        <option name="link.openPivot.visible">0</option>

        <option name="link.openSearch.visible">0</option>

        <option name="refresh.display">progressbar</option>

        <option name="refresh.link.visible">0</option>




Labels (1)
0 Karma

Path Finder

This worked for me.  My time picker input "token" value is "field3".


<search ref="my report"></search>


<search ref="my report">



0 Karma

Loves-to-Learn Lots

Hello @mbasharat,

I've found a workaround by using the "where" command before a panel subsearch.

Example in your case :

      <title>Events Timechart</title>
        <search base="Main_Search">
          <query>where _time>=$timerange.earliest$ AND _time<=$timerange.latest$
| search UserType="$accttype$" AND User="$user$" AND Priority="$priority$" AND Result="$results$"
| timechart count</query>

 Try to add in you query : "where _time>=$timerange.earliest$ AND _time<=$timerange.latest$"

Unfortunately, for timelines per example, I noticed that the display do not automatically scale the panel to the dashboard time range but the data that appears does match it.


0 Karma

Loves-to-Learn Lots

Hello @mbasharat,

I am experiencing the same issue.
Even if I set a time range shorter than the one set in the report, the panel does not take it in consideration.
Did you find another way to make it work ?

I hope someone could answer to help us.



0 Karma


1. create a background search in order to convert timepicker into epoch time and create token values for new convereted fields.

<eval token="toearliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
<eval token="tolatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
<set token="jobearliest">$job.earliestTime$</set>
<set token="joblatest">$job.latestTime$</set>

Then, add this logic into your panels 

| eval earliest = $toearliest$
| eval latest =if($tolatest$ <= 0, now(),$tolatest$)
| eval datefield=_time
| where datefield >= earliest AND datefield <= latest

if you want, you can also choose a different field other than _time. Just remember to convert that field into epoch time. 


Hope this helps!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...