Hi Splunk Team,

I have a quick question. 

I'm writing a join query wherein i want the query A ("Birth Test") to execute as per the timepicker in Dashboard but the query-B( "Modem Details") should default execute the last 30 days 

index="o2a" application="publisher-v2" "Birth Test" "Request received"
| rex field=message "(?msi)(?<json_message>\{.+\})"
| spath input=json_message output=externalReferenceId path=correlationId
| table externalReferenceId,_time
| eval BTActivityStartTime = strftime(_time, "%Y-%m-%d %H:%M:%S") | fields - _time
| join type=outer externalReferenceId
[ search
index="o2a" application="publisher-v2" "Modem Details" "Request received"
| rex field=message "(?msi)(?<json_message>\{.+\})"
| spath input=json_message output=externalReferenceId path=correlationId
| table externalReferenceId,_time
| eval ModemActivityStartTime = strftime(_time, "%Y-%m-%d %H:%M:%S") | fields - _time
]
|table ModemActivityStartTime,BTActivityStartTime,externalReferenceId,OrderID 

Could you please assist? Thanks so much.