how to make time_token.earliest in readable format

chuck_life09 · ‎03-17-2021

Hi,

I have like this

<title>Report $time_token.earliest$</title>

result : Report -30d@d

can the result be changed to show

Report 30days

peter_krammer · ‎03-17-2021

You can probably achieve it with the reltime command and setting it to a token from within a hidden search.

https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchReference/Reltime

Here is an example dashboard:

<form>
  <label>Reltime</label>
  <search>
    <query>
      | makeresults 
      | addinfo 
      | eval _time = info_min_time | reltime | rename reltime as reltime1
      | eval _time = info_max_time | reltime | rename reltime as reltime2
    </query>
    <earliest>$time_token.earliest$</earliest>
    <latest>$time_token.latest$</latest>
    <done>
      <set token="reltime1">$result.reltime1$</set>
      <set token="reltime2">$result.reltime2$</set>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="time_token">
      <label></label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Events between $reltime1$ and $reltime2$</title>
      <table>
        <search>
          <query>
            | makeresults 
            | addinfo 
            | eval _time = info_min_time | reltime | rename reltime as reltime1
            | eval _time = info_max_time | reltime | rename reltime as reltime2
          </query>
          <earliest>$time_token.earliest$</earliest>
          <latest>$time_token.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

how to make time_token.earliest in readable format

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

how to make time_token.earliest in readable format

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem