I'm running the transaction command in a drilldown panel that passes the times picked on the timechart down to the next panel as tokens. The problem I run into is where the transactions don't fall within the hour slice, I want the token to subtract an hour from the earliest time, and add an hour to the latest, so I can encompass the transaction.
$earliest_time$ - 1h
Is there a way to offset the tokens this way?
I guess the earliest and latest value that you get from the drilldown will in epoch, so try one of these in the drilldown search
your base search earliest=($earliest_time$-3600) ...rest of the search
your base search [| gentimes start=-1 |eval earliest=$earliest_time$-3600 | table earliest ]
You could change your token before it is consumed by the search. Do this in your drilldown:
<eval token="time_tok_plus_1h_earliest">relative_time(relative_time(now(), 'earliest'), "+1h")</eval> <eval token="time_tok_plus_1h_latest">relative_time(relative_time(now(), 'latest'), "+1h")</eval>
Replace earliest and latest with wherever your values come from, e.g.
Did you ever find a solution to this?
I've tried so many combinations of 'possible solutions' I've seen posted, but none of them have worked for me.