There are generally 2 ways to do this, one can be done in search alone and the other can be done in dashboard. I tend to use the dashboard approach when in a dashboard, which is to use addinfo and to...
See more...
There are generally 2 ways to do this, one can be done in search alone and the other can be done in dashboard. I tend to use the dashboard approach when in a dashboard, which is to use addinfo and to calculate the ranges needed for the outer search. The technique is to use a hidden search, either in a table where you have <row depends="$hidden$"> as the row header, or as a base search in the core body of the XML. (NB: In this example I have not hidden the search so you can see what's generated) However, see this example, which calculates 10 periods going back over the last 10 days with the correct matching time period. <form version="1.1" theme="light">
<label>Times</label>
<fieldset submitButton="false">
<input type="time" token="thetime" searchWhenChanged="true">
<label>Time</label>
<default>
<earliest>-5m@m</earliest>
<latest>@m</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<done>
<set token="pd_min_current">$result.pd_min_current$</set>
<set token="pd_max_current">$result.pd_max_current$</set>
<set token="pd_min_1">$result.pd_min_1$</set>
<set token="pd_max_1">$result.pd_max_1$</set>
<set token="pd_min_2">$result.pd_min_2$</set>
<set token="pd_max_2">$result.pd_max_2$</set>
<set token="pd_min_3">$result.pd_min_3$</set>
<set token="pd_max_3">$result.pd_max_3$</set>
<set token="pd_min_4">$result.pd_min_4$</set>
<set token="pd_max_4">$result.pd_max_4$</set>
<set token="pd_min_5">$result.pd_min_5$</set>
<set token="pd_max_5">$result.pd_max_5$</set>
<set token="pd_min_6">$result.pd_min_6$</set>
<set token="pd_max_6">$result.pd_max_6$</set>
<set token="pd_min_7">$result.pd_min_7$</set>
<set token="pd_max_7">$result.pd_max_7$</set>
<set token="pd_min_8">$result.pd_min_8$</set>
<set token="pd_max_8">$result.pd_max_8$</set>
<set token="pd_min_9">$result.pd_min_9$</set>
<set token="pd_max_9">$result.pd_max_9$</set>
<set token="pd_min_10">$result.pd_min_10$</set>
<set token="pd_max_10">$result.pd_max_10$</set>
</done>
<query>| makeresults
| addinfo
| eval pd_min_current=info_min_time, pd_max_current=info_max_time
| foreach 1 2 3 4 5 6 7 8 9 10 [
eval pd_min_<<FIELD>>=relative_time(info_min_time, "-"."<<FIELD>>"."d"),
pd_max_<<FIELD>>=relative_time(info_max_time, "-"."<<FIELD>>"."d")
]
| fields - info_*</query>
<earliest>$thetime.earliest$</earliest>
<latest>$thetime.latest$</latest>
</search>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<search>
<query>index=_audit
(earliest >= $pd_min_current$ AND latest < $pd_max_current$) OR
(earliest >= $pd_min_1$ AND latest < $pd_max_1$) OR
(earliest >= $pd_min_2$ AND latest < $pd_max_2$) OR
(earliest >= $pd_min_3$ AND latest < $pd_max_3$) OR
(earliest >= $pd_min_4$ AND latest < $pd_max_4$) OR
(earliest >= $pd_min_5$ AND latest < $pd_max_5$) OR
(earliest >= $pd_min_6$ AND latest < $pd_max_6$) OR
(earliest >= $pd_min_7$ AND latest < $pd_max_7$) OR
(earliest >= $pd_min_8$ AND latest < $pd_max_8$) OR
(earliest >= $pd_min_9$ AND latest < $pd_max_9$) OR
(earliest >= $pd_min_10$ AND latest < $pd_max_10$)
| bin _time span=5m aligntime=@m
| chart count by _time user</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form> See how the <done> part of the hidden search will then set the tokens needed by your actual search. The other technique is to do the same as the hidden search, but in a subsearch so the subsearch will return earliest and latest for each of the periods you want to restrict to) Hope this helps