- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is there an option to add Time Token function on D...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Team,
I have several Dashboards that contain base searches data from reports for example:
<search id="baseSearch" ref="Report"></search>
but, I see that I am not getting option to add time token on dashboard.
Is there any option we can provide the time token to expand or reduced time window for end users on dashboard by using ref="Report" saved search method ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reports are snapshots of data and can't be changed after they are created. Thus you aren't able to change the time on a report once it is done. You could create multiple reports with the same search but different time ranges but I don't think that is what you want.
You could create the report over the maximum duration that you want users to see and use a time picker to limit the events shown.
Make a separate panel in the dashboard that uses the report as its base and insert the following code:
| where _time>relative_time(now(),"$time_token.earliest$")
Dashboard example:
<form version="1.0">
<search id="base" ref="test_report"></search>
<label>Test</label>
<fieldset submitButton="false">
<input type="time" token="time_token">
<label>Time</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>This is my Panel</title>
<table>
<search base="base">
<query>| where _time>relative_time(now(),"$time_token.earliest$")</query>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
_______________________________________
If this was helpful please consider awarding Karma. Thx!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is awesome. Thank you for sharing this is working @FelixLeh
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad to hear that! You're Welcome! 😄
(You could mark my answer as the solution to complete/close the question 😉 )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reports are snapshots of data and can't be changed after they are created. Thus you aren't able to change the time on a report once it is done. You could create multiple reports with the same search but different time ranges but I don't think that is what you want.
You could create the report over the maximum duration that you want users to see and use a time picker to limit the events shown.
Make a separate panel in the dashboard that uses the report as its base and insert the following code:
| where _time>relative_time(now(),"$time_token.earliest$")
Dashboard example:
<form version="1.0">
<search id="base" ref="test_report"></search>
<label>Test</label>
<fieldset submitButton="false">
<input type="time" token="time_token">
<label>Time</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>This is my Panel</title>
<table>
<search base="base">
<query>| where _time>relative_time(now(),"$time_token.earliest$")</query>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
_______________________________________
If this was helpful please consider awarding Karma. Thx!
Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...
Preparing your Splunk Environment for OpenSSL3
Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector
