Solved: Using a Token to set the earliest value in a multi...

Steve_A200 · ‎01-03-2024

Hi,

I am trying to create a splunk classic dashboard, but struggling with setting the earliest values.

The goal is to run a search, and have the results pull data from 2 different index files while controlling the data pulled from the first index by a dropdown time parameter.

The SPL is part of a radio button option with the dashboard and starts as such:

( (index=first_index source="first_file_location" $time_range$ latest=-1d@d() ) OR
(index=second_index earliest=@d latest=now() source="second_file_location")
... rest of the SPL

time_range token is the dropdown input with a static value set to
earliest=-7d@d()

When I run the search, it is not substituting the static value into the search, and is populating it as the token name with the $ sign.

Would it be possible to set the earliest value for the first index using a dropdown menu.

Any assistance would be greatly appreciated.

Thanks

Steve_A200 · ‎01-03-2024

I figured it out, the universal _time would be used by default when no earliest/latest parameters are specified.

View solution in original post

Steve_A200 · ‎01-03-2024

I figured it out, the universal _time would be used by default when no earliest/latest parameters are specified.

Using a Token to set the earliest value in a multi index search

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?

Using a Token to set the earliest value in a multi index search

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard